cobaltstrike | f07ce5018cb27bb111a7d4bac222009531b21012a45858e4e1c452f636fbbe18

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

3db46275b9a4fef941af7cb6b33b0085
SHA1

41d7721f5305f2eafa8c67307bea5d8d17877fa0
SHA256

f07ce5018cb27bb111a7d4bac222009531b21012a45858e4e1c452f636fbbe18
SHA512

fac8362c8fb990d4b8080d442331e9db2c0b1757edd84c24bee5c3fcee177ff901411e9124be519f01b524832bc85f17d05347a42de81cb5b4811864f7b926d8
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU0:Q+856utgpPF8u/70

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023414-5.dat	cobalt_reflective_dll
behavioral2/files/0x000900000002341d-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023422-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023423-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023428-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023426-47.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002341f-60.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342b-65.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342c-67.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342d-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023424-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023425-35.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342e-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023431-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023430-101.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342f-90.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023387-131.dat	cobalt_reflective_dll
behavioral2/files/0x000d000000023383-129.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002297a-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023432-116.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023414-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000900000002341d-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023422-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023423-21.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023428-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023427-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023426-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002341f-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342b-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342c-67.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342d-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023424-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023425-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342e-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023431-103.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023430-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342f-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000b000000023387-131.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000d000000023383-129.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002297a-118.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023432-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4276-0-0x00007FF7B79B0000-0x00007FF7B7D04000-memory.dmp	UPX
behavioral2/files/0x000b000000023414-5.dat	UPX
behavioral2/memory/2576-8-0x00007FF6060B0000-0x00007FF606404000-memory.dmp	UPX
behavioral2/files/0x000900000002341d-10.dat	UPX
behavioral2/files/0x0007000000023422-11.dat	UPX
behavioral2/memory/2776-14-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp	UPX
behavioral2/files/0x0007000000023423-21.dat	UPX
behavioral2/memory/1280-25-0x00007FF7D2E30000-0x00007FF7D3184000-memory.dmp	UPX
behavioral2/memory/756-44-0x00007FF61F3F0000-0x00007FF61F744000-memory.dmp	UPX
behavioral2/memory/1712-42-0x00007FF647840000-0x00007FF647B94000-memory.dmp	UPX
behavioral2/files/0x0007000000023428-50.dat	UPX
behavioral2/memory/1264-51-0x00007FF611CE0000-0x00007FF612034000-memory.dmp	UPX
behavioral2/files/0x0007000000023427-53.dat	UPX
behavioral2/memory/5080-52-0x00007FF7C90F0000-0x00007FF7C9444000-memory.dmp	UPX
behavioral2/files/0x0007000000023426-47.dat	UPX
behavioral2/files/0x000800000002341f-60.dat	UPX
behavioral2/files/0x000700000002342b-65.dat	UPX
behavioral2/files/0x000700000002342c-67.dat	UPX
behavioral2/memory/4024-73-0x00007FF77D4B0000-0x00007FF77D804000-memory.dmp	UPX
behavioral2/files/0x000700000002342d-78.dat	UPX
behavioral2/memory/2068-68-0x00007FF6738D0000-0x00007FF673C24000-memory.dmp	UPX
behavioral2/memory/4416-63-0x00007FF7D8370000-0x00007FF7D86C4000-memory.dmp	UPX
behavioral2/files/0x0007000000023424-40.dat	UPX
behavioral2/memory/1436-37-0x00007FF676340000-0x00007FF676694000-memory.dmp	UPX
behavioral2/files/0x0007000000023425-35.dat	UPX
behavioral2/files/0x000700000002342e-85.dat	UPX
behavioral2/memory/1440-95-0x00007FF706FA0000-0x00007FF7072F4000-memory.dmp	UPX
behavioral2/memory/1696-97-0x00007FF6D7400000-0x00007FF6D7754000-memory.dmp	UPX
behavioral2/files/0x0007000000023431-103.dat	UPX
behavioral2/memory/680-107-0x00007FF60B4C0000-0x00007FF60B814000-memory.dmp	UPX
behavioral2/memory/1280-105-0x00007FF7D2E30000-0x00007FF7D3184000-memory.dmp	UPX
behavioral2/memory/5048-104-0x00007FF73ED10000-0x00007FF73F064000-memory.dmp	UPX
behavioral2/files/0x0007000000023430-101.dat	UPX
behavioral2/memory/1436-98-0x00007FF676340000-0x00007FF676694000-memory.dmp	UPX
behavioral2/memory/1596-92-0x00007FF6FA030000-0x00007FF6FA384000-memory.dmp	UPX
behavioral2/files/0x000700000002342f-90.dat	UPX
behavioral2/memory/4412-83-0x00007FF6245F0000-0x00007FF624944000-memory.dmp	UPX
behavioral2/memory/4276-80-0x00007FF7B79B0000-0x00007FF7B7D04000-memory.dmp	UPX
behavioral2/memory/1440-19-0x00007FF706FA0000-0x00007FF7072F4000-memory.dmp	UPX
behavioral2/memory/4340-124-0x00007FF667D90000-0x00007FF6680E4000-memory.dmp	UPX
behavioral2/memory/5080-126-0x00007FF7C90F0000-0x00007FF7C9444000-memory.dmp	UPX
behavioral2/files/0x000b000000023387-131.dat	UPX
behavioral2/files/0x000d000000023383-129.dat	UPX
behavioral2/memory/1264-125-0x00007FF611CE0000-0x00007FF612034000-memory.dmp	UPX
behavioral2/memory/756-120-0x00007FF61F3F0000-0x00007FF61F744000-memory.dmp	UPX
behavioral2/files/0x000700000002297a-118.dat	UPX
behavioral2/files/0x0007000000023432-116.dat	UPX
behavioral2/memory/3268-114-0x00007FF74CAB0000-0x00007FF74CE04000-memory.dmp	UPX
behavioral2/memory/3924-133-0x00007FF71B7E0000-0x00007FF71BB34000-memory.dmp	UPX
behavioral2/memory/2532-134-0x00007FF680B20000-0x00007FF680E74000-memory.dmp	UPX
behavioral2/memory/2068-135-0x00007FF6738D0000-0x00007FF673C24000-memory.dmp	UPX
behavioral2/memory/4024-136-0x00007FF77D4B0000-0x00007FF77D804000-memory.dmp	UPX
behavioral2/memory/5048-137-0x00007FF73ED10000-0x00007FF73F064000-memory.dmp	UPX
behavioral2/memory/680-138-0x00007FF60B4C0000-0x00007FF60B814000-memory.dmp	UPX
behavioral2/memory/3268-139-0x00007FF74CAB0000-0x00007FF74CE04000-memory.dmp	UPX
behavioral2/memory/3924-140-0x00007FF71B7E0000-0x00007FF71BB34000-memory.dmp	UPX
behavioral2/memory/2576-141-0x00007FF6060B0000-0x00007FF606404000-memory.dmp	UPX
behavioral2/memory/2776-142-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp	UPX
behavioral2/memory/1440-143-0x00007FF706FA0000-0x00007FF7072F4000-memory.dmp	UPX
behavioral2/memory/1280-144-0x00007FF7D2E30000-0x00007FF7D3184000-memory.dmp	UPX
behavioral2/memory/1712-145-0x00007FF647840000-0x00007FF647B94000-memory.dmp	UPX
behavioral2/memory/756-146-0x00007FF61F3F0000-0x00007FF61F744000-memory.dmp	UPX
behavioral2/memory/1436-147-0x00007FF676340000-0x00007FF676694000-memory.dmp	UPX
behavioral2/memory/1264-149-0x00007FF611CE0000-0x00007FF612034000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4276-0-0x00007FF7B79B0000-0x00007FF7B7D04000-memory.dmp	xmrig
behavioral2/files/0x000b000000023414-5.dat	xmrig
behavioral2/memory/2576-8-0x00007FF6060B0000-0x00007FF606404000-memory.dmp	xmrig
behavioral2/files/0x000900000002341d-10.dat	xmrig
behavioral2/files/0x0007000000023422-11.dat	xmrig
behavioral2/memory/2776-14-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023423-21.dat	xmrig
behavioral2/memory/1280-25-0x00007FF7D2E30000-0x00007FF7D3184000-memory.dmp	xmrig
behavioral2/memory/756-44-0x00007FF61F3F0000-0x00007FF61F744000-memory.dmp	xmrig
behavioral2/memory/1712-42-0x00007FF647840000-0x00007FF647B94000-memory.dmp	xmrig
behavioral2/files/0x0007000000023428-50.dat	xmrig
behavioral2/memory/1264-51-0x00007FF611CE0000-0x00007FF612034000-memory.dmp	xmrig
behavioral2/files/0x0007000000023427-53.dat	xmrig
behavioral2/memory/5080-52-0x00007FF7C90F0000-0x00007FF7C9444000-memory.dmp	xmrig
behavioral2/files/0x0007000000023426-47.dat	xmrig
behavioral2/files/0x000800000002341f-60.dat	xmrig
behavioral2/files/0x000700000002342b-65.dat	xmrig
behavioral2/files/0x000700000002342c-67.dat	xmrig
behavioral2/memory/4024-73-0x00007FF77D4B0000-0x00007FF77D804000-memory.dmp	xmrig
behavioral2/files/0x000700000002342d-78.dat	xmrig
behavioral2/memory/2068-68-0x00007FF6738D0000-0x00007FF673C24000-memory.dmp	xmrig
behavioral2/memory/4416-63-0x00007FF7D8370000-0x00007FF7D86C4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023424-40.dat	xmrig
behavioral2/memory/1436-37-0x00007FF676340000-0x00007FF676694000-memory.dmp	xmrig
behavioral2/files/0x0007000000023425-35.dat	xmrig
behavioral2/files/0x000700000002342e-85.dat	xmrig
behavioral2/memory/1440-95-0x00007FF706FA0000-0x00007FF7072F4000-memory.dmp	xmrig
behavioral2/memory/1696-97-0x00007FF6D7400000-0x00007FF6D7754000-memory.dmp	xmrig
behavioral2/files/0x0007000000023431-103.dat	xmrig
behavioral2/memory/680-107-0x00007FF60B4C0000-0x00007FF60B814000-memory.dmp	xmrig
behavioral2/memory/1280-105-0x00007FF7D2E30000-0x00007FF7D3184000-memory.dmp	xmrig
behavioral2/memory/5048-104-0x00007FF73ED10000-0x00007FF73F064000-memory.dmp	xmrig
behavioral2/files/0x0007000000023430-101.dat	xmrig
behavioral2/memory/1436-98-0x00007FF676340000-0x00007FF676694000-memory.dmp	xmrig
behavioral2/memory/1596-92-0x00007FF6FA030000-0x00007FF6FA384000-memory.dmp	xmrig
behavioral2/files/0x000700000002342f-90.dat	xmrig
behavioral2/memory/4412-83-0x00007FF6245F0000-0x00007FF624944000-memory.dmp	xmrig
behavioral2/memory/4276-80-0x00007FF7B79B0000-0x00007FF7B7D04000-memory.dmp	xmrig
behavioral2/memory/1440-19-0x00007FF706FA0000-0x00007FF7072F4000-memory.dmp	xmrig
behavioral2/memory/4340-124-0x00007FF667D90000-0x00007FF6680E4000-memory.dmp	xmrig
behavioral2/memory/5080-126-0x00007FF7C90F0000-0x00007FF7C9444000-memory.dmp	xmrig
behavioral2/files/0x000b000000023387-131.dat	xmrig
behavioral2/files/0x000d000000023383-129.dat	xmrig
behavioral2/memory/1264-125-0x00007FF611CE0000-0x00007FF612034000-memory.dmp	xmrig
behavioral2/memory/756-120-0x00007FF61F3F0000-0x00007FF61F744000-memory.dmp	xmrig
behavioral2/files/0x000700000002297a-118.dat	xmrig
behavioral2/files/0x0007000000023432-116.dat	xmrig
behavioral2/memory/3268-114-0x00007FF74CAB0000-0x00007FF74CE04000-memory.dmp	xmrig
behavioral2/memory/3924-133-0x00007FF71B7E0000-0x00007FF71BB34000-memory.dmp	xmrig
behavioral2/memory/2532-134-0x00007FF680B20000-0x00007FF680E74000-memory.dmp	xmrig
behavioral2/memory/2068-135-0x00007FF6738D0000-0x00007FF673C24000-memory.dmp	xmrig
behavioral2/memory/4024-136-0x00007FF77D4B0000-0x00007FF77D804000-memory.dmp	xmrig
behavioral2/memory/5048-137-0x00007FF73ED10000-0x00007FF73F064000-memory.dmp	xmrig
behavioral2/memory/680-138-0x00007FF60B4C0000-0x00007FF60B814000-memory.dmp	xmrig
behavioral2/memory/3268-139-0x00007FF74CAB0000-0x00007FF74CE04000-memory.dmp	xmrig
behavioral2/memory/3924-140-0x00007FF71B7E0000-0x00007FF71BB34000-memory.dmp	xmrig
behavioral2/memory/2576-141-0x00007FF6060B0000-0x00007FF606404000-memory.dmp	xmrig
behavioral2/memory/2776-142-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp	xmrig
behavioral2/memory/1440-143-0x00007FF706FA0000-0x00007FF7072F4000-memory.dmp	xmrig
behavioral2/memory/1280-144-0x00007FF7D2E30000-0x00007FF7D3184000-memory.dmp	xmrig
behavioral2/memory/1712-145-0x00007FF647840000-0x00007FF647B94000-memory.dmp	xmrig
behavioral2/memory/756-146-0x00007FF61F3F0000-0x00007FF61F744000-memory.dmp	xmrig
behavioral2/memory/1436-147-0x00007FF676340000-0x00007FF676694000-memory.dmp	xmrig
behavioral2/memory/1264-149-0x00007FF611CE0000-0x00007FF612034000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2576	SkkIHue.exe
2776	DpSqTuj.exe
1440	hnWOTZS.exe
1280	TNWXjeW.exe
1436	oIXNpHG.exe
1712	ZsFFAcK.exe
756	qDLSGxx.exe
1264	yAiRlWY.exe
5080	liQkPTc.exe
4416	ExXddjp.exe
2068	uQYTtrt.exe
4024	OBMUeiM.exe
4412	aAnlkky.exe
1596	gNiYPxu.exe
1696	dVwNNTU.exe
5048	HbYQkLv.exe
680	YZTKkEm.exe
3268	bPhUmUx.exe
4340	SMOThGY.exe
3924	LVHFqoy.exe
2532	PMIiWHB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4276-0-0x00007FF7B79B0000-0x00007FF7B7D04000-memory.dmp	upx
behavioral2/files/0x000b000000023414-5.dat	upx
behavioral2/memory/2576-8-0x00007FF6060B0000-0x00007FF606404000-memory.dmp	upx
behavioral2/files/0x000900000002341d-10.dat	upx
behavioral2/files/0x0007000000023422-11.dat	upx
behavioral2/memory/2776-14-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp	upx
behavioral2/files/0x0007000000023423-21.dat	upx
behavioral2/memory/1280-25-0x00007FF7D2E30000-0x00007FF7D3184000-memory.dmp	upx
behavioral2/memory/756-44-0x00007FF61F3F0000-0x00007FF61F744000-memory.dmp	upx
behavioral2/memory/1712-42-0x00007FF647840000-0x00007FF647B94000-memory.dmp	upx
behavioral2/files/0x0007000000023428-50.dat	upx
behavioral2/memory/1264-51-0x00007FF611CE0000-0x00007FF612034000-memory.dmp	upx
behavioral2/files/0x0007000000023427-53.dat	upx
behavioral2/memory/5080-52-0x00007FF7C90F0000-0x00007FF7C9444000-memory.dmp	upx
behavioral2/files/0x0007000000023426-47.dat	upx
behavioral2/files/0x000800000002341f-60.dat	upx
behavioral2/files/0x000700000002342b-65.dat	upx
behavioral2/files/0x000700000002342c-67.dat	upx
behavioral2/memory/4024-73-0x00007FF77D4B0000-0x00007FF77D804000-memory.dmp	upx
behavioral2/files/0x000700000002342d-78.dat	upx
behavioral2/memory/2068-68-0x00007FF6738D0000-0x00007FF673C24000-memory.dmp	upx
behavioral2/memory/4416-63-0x00007FF7D8370000-0x00007FF7D86C4000-memory.dmp	upx
behavioral2/files/0x0007000000023424-40.dat	upx
behavioral2/memory/1436-37-0x00007FF676340000-0x00007FF676694000-memory.dmp	upx
behavioral2/files/0x0007000000023425-35.dat	upx
behavioral2/files/0x000700000002342e-85.dat	upx
behavioral2/memory/1440-95-0x00007FF706FA0000-0x00007FF7072F4000-memory.dmp	upx
behavioral2/memory/1696-97-0x00007FF6D7400000-0x00007FF6D7754000-memory.dmp	upx
behavioral2/files/0x0007000000023431-103.dat	upx
behavioral2/memory/680-107-0x00007FF60B4C0000-0x00007FF60B814000-memory.dmp	upx
behavioral2/memory/1280-105-0x00007FF7D2E30000-0x00007FF7D3184000-memory.dmp	upx
behavioral2/memory/5048-104-0x00007FF73ED10000-0x00007FF73F064000-memory.dmp	upx
behavioral2/files/0x0007000000023430-101.dat	upx
behavioral2/memory/1436-98-0x00007FF676340000-0x00007FF676694000-memory.dmp	upx
behavioral2/memory/1596-92-0x00007FF6FA030000-0x00007FF6FA384000-memory.dmp	upx
behavioral2/files/0x000700000002342f-90.dat	upx
behavioral2/memory/4412-83-0x00007FF6245F0000-0x00007FF624944000-memory.dmp	upx
behavioral2/memory/4276-80-0x00007FF7B79B0000-0x00007FF7B7D04000-memory.dmp	upx
behavioral2/memory/1440-19-0x00007FF706FA0000-0x00007FF7072F4000-memory.dmp	upx
behavioral2/memory/4340-124-0x00007FF667D90000-0x00007FF6680E4000-memory.dmp	upx
behavioral2/memory/5080-126-0x00007FF7C90F0000-0x00007FF7C9444000-memory.dmp	upx
behavioral2/files/0x000b000000023387-131.dat	upx
behavioral2/files/0x000d000000023383-129.dat	upx
behavioral2/memory/1264-125-0x00007FF611CE0000-0x00007FF612034000-memory.dmp	upx
behavioral2/memory/756-120-0x00007FF61F3F0000-0x00007FF61F744000-memory.dmp	upx
behavioral2/files/0x000700000002297a-118.dat	upx
behavioral2/files/0x0007000000023432-116.dat	upx
behavioral2/memory/3268-114-0x00007FF74CAB0000-0x00007FF74CE04000-memory.dmp	upx
behavioral2/memory/3924-133-0x00007FF71B7E0000-0x00007FF71BB34000-memory.dmp	upx
behavioral2/memory/2532-134-0x00007FF680B20000-0x00007FF680E74000-memory.dmp	upx
behavioral2/memory/2068-135-0x00007FF6738D0000-0x00007FF673C24000-memory.dmp	upx
behavioral2/memory/4024-136-0x00007FF77D4B0000-0x00007FF77D804000-memory.dmp	upx
behavioral2/memory/5048-137-0x00007FF73ED10000-0x00007FF73F064000-memory.dmp	upx
behavioral2/memory/680-138-0x00007FF60B4C0000-0x00007FF60B814000-memory.dmp	upx
behavioral2/memory/3268-139-0x00007FF74CAB0000-0x00007FF74CE04000-memory.dmp	upx
behavioral2/memory/3924-140-0x00007FF71B7E0000-0x00007FF71BB34000-memory.dmp	upx
behavioral2/memory/2576-141-0x00007FF6060B0000-0x00007FF606404000-memory.dmp	upx
behavioral2/memory/2776-142-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp	upx
behavioral2/memory/1440-143-0x00007FF706FA0000-0x00007FF7072F4000-memory.dmp	upx
behavioral2/memory/1280-144-0x00007FF7D2E30000-0x00007FF7D3184000-memory.dmp	upx
behavioral2/memory/1712-145-0x00007FF647840000-0x00007FF647B94000-memory.dmp	upx
behavioral2/memory/756-146-0x00007FF61F3F0000-0x00007FF61F744000-memory.dmp	upx
behavioral2/memory/1436-147-0x00007FF676340000-0x00007FF676694000-memory.dmp	upx
behavioral2/memory/1264-149-0x00007FF611CE0000-0x00007FF612034000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\YZTKkEm.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bPhUmUx.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SMOThGY.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hnWOTZS.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZsFFAcK.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qDLSGxx.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yAiRlWY.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OBMUeiM.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DpSqTuj.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TNWXjeW.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\liQkPTc.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HbYQkLv.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LVHFqoy.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aAnlkky.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dVwNNTU.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PMIiWHB.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SkkIHue.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oIXNpHG.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ExXddjp.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uQYTtrt.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gNiYPxu.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 2576	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	83
PID 4276 wrote to memory of 2576	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	83
PID 4276 wrote to memory of 2776	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	84
PID 4276 wrote to memory of 2776	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	84
PID 4276 wrote to memory of 1440	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	85
PID 4276 wrote to memory of 1440	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	85
PID 4276 wrote to memory of 1280	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	86
PID 4276 wrote to memory of 1280	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	86
PID 4276 wrote to memory of 1436	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	87
PID 4276 wrote to memory of 1436	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	87
PID 4276 wrote to memory of 1712	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	89
PID 4276 wrote to memory of 1712	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	89
PID 4276 wrote to memory of 756	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	90
PID 4276 wrote to memory of 756	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	90
PID 4276 wrote to memory of 1264	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	91
PID 4276 wrote to memory of 1264	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	91
PID 4276 wrote to memory of 5080	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	92
PID 4276 wrote to memory of 5080	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	92
PID 4276 wrote to memory of 4416	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	93
PID 4276 wrote to memory of 4416	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	93
PID 4276 wrote to memory of 2068	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	95
PID 4276 wrote to memory of 2068	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	95
PID 4276 wrote to memory of 4024	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	96
PID 4276 wrote to memory of 4024	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	96
PID 4276 wrote to memory of 4412	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	97
PID 4276 wrote to memory of 4412	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	97
PID 4276 wrote to memory of 1596	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	98
PID 4276 wrote to memory of 1596	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	98
PID 4276 wrote to memory of 1696	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	101
PID 4276 wrote to memory of 1696	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	101
PID 4276 wrote to memory of 5048	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	102
PID 4276 wrote to memory of 5048	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	102
PID 4276 wrote to memory of 680	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	103
PID 4276 wrote to memory of 680	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	103
PID 4276 wrote to memory of 3268	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	104
PID 4276 wrote to memory of 3268	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	104
PID 4276 wrote to memory of 4340	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	105
PID 4276 wrote to memory of 4340	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	105
PID 4276 wrote to memory of 3924	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	106
PID 4276 wrote to memory of 3924	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	106
PID 4276 wrote to memory of 2532	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	107
PID 4276 wrote to memory of 2532	4276	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Windows\System\SkkIHue.exe
  C:\Windows\System\SkkIHue.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\DpSqTuj.exe
  C:\Windows\System\DpSqTuj.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\hnWOTZS.exe
  C:\Windows\System\hnWOTZS.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\TNWXjeW.exe
  C:\Windows\System\TNWXjeW.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System\oIXNpHG.exe
  C:\Windows\System\oIXNpHG.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\ZsFFAcK.exe
  C:\Windows\System\ZsFFAcK.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\qDLSGxx.exe
  C:\Windows\System\qDLSGxx.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\yAiRlWY.exe
  C:\Windows\System\yAiRlWY.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System\liQkPTc.exe
  C:\Windows\System\liQkPTc.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\ExXddjp.exe
  C:\Windows\System\ExXddjp.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\uQYTtrt.exe
  C:\Windows\System\uQYTtrt.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\OBMUeiM.exe
  C:\Windows\System\OBMUeiM.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\aAnlkky.exe
  C:\Windows\System\aAnlkky.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\gNiYPxu.exe
  C:\Windows\System\gNiYPxu.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System\dVwNNTU.exe
  C:\Windows\System\dVwNNTU.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\HbYQkLv.exe
  C:\Windows\System\HbYQkLv.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\YZTKkEm.exe
  C:\Windows\System\YZTKkEm.exe
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Windows\System\bPhUmUx.exe
  C:\Windows\System\bPhUmUx.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System\SMOThGY.exe
  C:\Windows\System\SMOThGY.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System\LVHFqoy.exe
  C:\Windows\System\LVHFqoy.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\PMIiWHB.exe
  C:\Windows\System\PMIiWHB.exe
  2⤵
  - Executes dropped EXE
  PID:2532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DpSqTuj.exe

Filesize
5.9MB

MD5
e03b59f2c6f4acee5b9f24f1831525f6

SHA1
e8350937b027765fb89844cb53c182cef1240dbd

SHA256
41351afe2a743913355b4be6d8d410654871407b962d2cd8c027d8c7ce13c4f9

SHA512
32f2ee93bf1e8bec4ad6c1a838a150dd50d092e3af55f293526889943838029a88b9c2f2f1191a8d5867199551ab041c4d2c7f0c9011702bf23b40b7af2f86bb

Download Submit
C:\Windows\System\ExXddjp.exe

Filesize
5.9MB

MD5
68c65478bacdcffad925316fb1ab6ae1

SHA1
d2d6bf7ff0c6d29852b368c0a7b4e120b6de6a19

SHA256
e501afa36695258d90cc792da1e94af005fccbd43e4a9b41c094740e39e45012

SHA512
df622500b87cdc6b6fa0625c8814a1556640ea0e058bede6ba834a7414ebebdbdbf4bae6c6c3c39708929f98469329d64252bc50509bc223ecd9dd6c67faaba8

Download Submit
C:\Windows\System\HbYQkLv.exe

Filesize
5.9MB

MD5
677b4fce662032867f5e327b61af5453

SHA1
8194296bd6ef205f4b600cb6c03bbb062055df04

SHA256
e6cbe70bdf2f1d0ff93cbac952d080601c55476f8738f4b0cda8b2e9312aeb9f

SHA512
7e9a589ca941f8f1f670d5bfe5f07fa61f322fd69f4ab9131c1b9bc045d20729679d215cef150ff13005e471481d387d34e811e63f03a40672e2be3634aabfe1

Download Submit
C:\Windows\System\LVHFqoy.exe

Filesize
5.9MB

MD5
017152c4b391bbf80365452dd0d40bdc

SHA1
b2e576ab024ef216913385f3cca5d84da0d100e5

SHA256
4c6c980dc7bc8919031f9ec87a64a9ffb49e1f9a8617f1c0a86b311d471efe28

SHA512
a9e6718817747cb39bc65252f4e4fdae820610dab0bdc5213db1d486858963592c05d744f2097781ae106922c2f1ad4ef853ed11b3e9c2a245fa6d1a4a011fa9

Download Submit
C:\Windows\System\OBMUeiM.exe

Filesize
5.9MB

MD5
639da5cf1e91fd217cdfe1ae276d173a

SHA1
bd68eac24f959f5caf5177e4bdf6f493a95a4f74

SHA256
3d2c4203f7f049bb5f25de38c97e30ad9c9af869ab15e9f3d3e8682f63266e72

SHA512
2611629fb34c373c36768f8768bea2b36d519bc054913d15a10730c13c8d13a29b616568086454e6f442a825a0d9f364f9c7e16ff9d97c0a26ef3921220e3f2f

Download Submit
C:\Windows\System\PMIiWHB.exe

Filesize
5.9MB

MD5
f86b58edba562822d7b2bda05b41af8f

SHA1
ad13ccb3d085b574ce7fc88a3201778c7c169a03

SHA256
4567da3917dc952ff0c4694b6b6d09c0048c5fb0315a15b3cd6cbb1b99e1e1e8

SHA512
23ae011ef7697198df2e1eefafc3024f1279b3b81a81afda95545733485273d19b9b8d2acf62ce15dd60682b0e291af00af9d398e0c52f5b40fe1abee2bdb2fb

Download Submit
C:\Windows\System\SMOThGY.exe

Filesize
5.9MB

MD5
412715d6b9358eced01584411595d301

SHA1
fec8282e008a25d64b24486e22d0c98c2de40129

SHA256
a1eb87de3b4eb2e3289e70c96bf453fee37c52f24c992fde1297e288e4512359

SHA512
a6035bff9c0bf3eb3e1def3bf36aa6c789860ddb8d96eb1a2ea66218b0587906e93c9b6cadbd168f843183bc4f40d50ee6ba5ec7759c3791a12bcad06a22a528

Download Submit
C:\Windows\System\SkkIHue.exe

Filesize
5.9MB

MD5
aeb6d0cd549f95e1458f3e5b7c6cc6c0

SHA1
6f8bb297283e37ce16533a25c7f25a893b894f5a

SHA256
76daeedb71885afc0c4ae1318adca00cff6500f74d9798ba7fcd9c4b56d83306

SHA512
bbe1defa8373efb36d8822a756e17ccefe6b08b8d242cc5999b93afb3de6248b7dbdf685cd293ea0f15989482a8fa35ad6c22da5cf905060ee1502d7a20163d3

Download Submit
C:\Windows\System\TNWXjeW.exe

Filesize
5.9MB

MD5
54312fcdef3d3431ebd9fc4dfb4d8f31

SHA1
72a333bafbb376032ba21ecd7252cd1c1c5b0a29

SHA256
b1563e49ba05b052915d8d7f486b170693bb60dd2fa7c4a0ff483a9db0e67de8

SHA512
c4b41d420d7287d857b8b69ce5bd3312e05fe9fd5c02e5c2398bb224cbf7e960bf810ad95704ada919aaf16abbaa7c1b88d861015745950ecaa83849c44ab2a8

Download Submit
C:\Windows\System\YZTKkEm.exe

Filesize
5.9MB

MD5
8082cff59e452dfd128dfdc874639535

SHA1
0d6811f2291a0dc91b7303a7f51e54b71cea0fb6

SHA256
d05eb03bc46021d4debb21bfb236c34b9e142b15da1c6f1c6ea0ba54e673de89

SHA512
892ab949adc371b9d262d180ddcd394271485ccf9a298419bafbbb192193df0eb6ad1a0f0d95e9a7ebb419d239781bdc50fc4604526831cdab14f9e2ffe7c50f

Download Submit
C:\Windows\System\ZsFFAcK.exe

Filesize
5.9MB

MD5
99814e140931e9f636f1b5c14cfb09b0

SHA1
a1763171a248569bade578ac0192bf017dfeb59a

SHA256
1a35bd095bc46caf00862f5b6025abb4fdd501052ad8bf3db21c9b07c3c1a408

SHA512
57d44f83f4ec8f406317f32d4ef14111925d13836ac4212334538bddddb1070d6b580d32ff7fc0b5c7d921d8e3d8cd71910b40617d22e39213f4ed9c12b4235f

Download Submit
C:\Windows\System\aAnlkky.exe

Filesize
5.9MB

MD5
355a6582a4d7261670f73c3721d07b07

SHA1
c56b4ebc4153b046992e2574d73e3e9e7430e343

SHA256
cc6e10cab601f487d23df6aa253dae2068201b231e47a5edf8df0b2c69c44ebb

SHA512
c612001d54885e3294ba915101751f48e6498041713f56b5472df3646119584f2c81e4483ca69604d26effc59b67e3de66159ce7e7eb2db1a610a61bc0eede3e

Download Submit
C:\Windows\System\bPhUmUx.exe

Filesize
5.9MB

MD5
b160c7416da4d2431d2e0f3ceb7a3b47

SHA1
3c0456089791c8e6ca5d31a44a89baa754280779

SHA256
784a8e19a7862d846089a94e2f4993ce30eace00faffd33ed8448b9733b464f7

SHA512
0710fe3cdd8ab3e29d024c65dbbcbd2860575270dfb144f27702333c234e30082ffe93219ac677977e387e3c17243f4bf888d15880969019161b0a55a57ac074

Download Submit
C:\Windows\System\dVwNNTU.exe

Filesize
5.9MB

MD5
85682d041b7e3a5589947cc76ba809a1

SHA1
47d5b2782c6b7d3fc92abc6c71757c5a332206e9

SHA256
fa9000152dc092ac0380328642a3aa1377b56d3e69b62b2692571393ca867c4f

SHA512
bb8a848317ad28db43f296f47c839c82cfd6a3aac0e71d2db7225ede9ade1ed7d9790a467c811168ff0e4d8eb0617ecd3cd3af43966501812ab96167281aef33

Download Submit
C:\Windows\System\gNiYPxu.exe

Filesize
5.9MB

MD5
c4c314c5f0f5996b483c7b6d6b7e87ae

SHA1
f5843b6cdbf205e5073ff3a4c482a0b7b5d33dfe

SHA256
d8165d0568c9389cf8bb94ca177b8fadd17a8afd755e8caf9f2a36c1a38e300c

SHA512
3855e7147b9d9c896b1c8c4c7b209f163868e27ebb423b4661894693e506b2706d05927aea7bafdcb21db5cea3cb1479ea20ee9a10204b6300583537eb54ccee

Download Submit
C:\Windows\System\hnWOTZS.exe

Filesize
5.9MB

MD5
2485f6f100c7f99189c78468ded57a1b

SHA1
c9b3f97a052bc8d2acd10d5854017f5054032d5e

SHA256
03ce4e2ed92657b6eb87cd69873376c929d9bc755c5ca37852b98de3d4a76602

SHA512
c23bfd516298306b8706081e0d003599fde248900c9c866cee0529e1b1e81ca531066d0b7b2c10a971cb0e2b28d0f010e8e3a2597020470d0c6af5475e9b333f

Download Submit
C:\Windows\System\liQkPTc.exe

Filesize
5.9MB

MD5
39f36a7deff2f9d6634c08404cdbce29

SHA1
9633b5944996c6dd240a92ad69966396528a9738

SHA256
0e6ff3fb98b95dc1e2340b97e6c05ac65cdb5ca4aa03e68782f7847addff346d

SHA512
d9e2a042e26474a3a3c642352e0eb1175432330971785d018fa3a1417242188b9e794f990358a6ebbc8dca7c227582c7227891891ec0aac03432e2007ac9526f

Download Submit
C:\Windows\System\oIXNpHG.exe

Filesize
5.9MB

MD5
db6dea469a4dd0e2289ee9e9d4cf3786

SHA1
a1109420441b44cbf66cdef8cfbc36fa0ebc38c6

SHA256
a23a7ce0a79f604b9d49f54f592162898482cef978eb5a073742344753e6aa90

SHA512
36e335ab7caaf61aa7f3c7ae80d070a557631be65219e792130ba7a2d8dac82139180190a664e06e8648182dd3ac07b200e9426ff12ef0afc746cc562b63e15f

Download Submit
C:\Windows\System\qDLSGxx.exe

Filesize
5.9MB

MD5
eb38893d6f5828dfaf21f6f7915f6dc8

SHA1
de75a032df19249752f2e33e53eca54be163913d

SHA256
ed52c4a73b386a05460f1c2f90ef067987e5aedf81642979f366e88d9aac5c50

SHA512
46a388d66a67471eae3e388d2ca04dec372a583ad3e8ff323c1d2b2805f736ce0622618ddd6ca7eafcc3e22b33cec109bc971644d623658c46874fc6f53770de

Download Submit
C:\Windows\System\uQYTtrt.exe

Filesize
5.9MB

MD5
2a01e283eea9ba80fed7b65ec4d512b9

SHA1
6d500c316c32c381be70335f5ab56d41759f617a

SHA256
e92325865895209a22d69bf1c86ebe33bab24faf9fd4bae1d833bb03f3d40807

SHA512
32820eb0691f998dff109200db407c28d270b1a2740e18deb925c83e7530681e2abc3f92b53e2fae3e3864faf873abdf419ac192d0c4b6b4ddb5b4e56eb07597

Download Submit
C:\Windows\System\yAiRlWY.exe

Filesize
5.9MB

MD5
ad5d68e5efab17b3e6e1d0e342c57745

SHA1
de07616a72748016331e9cfe3891e2c868c724ae

SHA256
5ca57962681bc423f0046cfca55bcf0f0d9838b5e29b6485236c60a19b4200ed

SHA512
2458b4870756c67d1bb5a9c7b61e8ed6b8f067908a8eef1b0907af1f9455da657bafe4e58c1f32938e5901e051feadb04f32e7879cd3eed3ddf0af32d58799cb

Download Submit
memory/680-157-0x00007FF60B4C0000-0x00007FF60B814000-memory.dmp

Filesize
3.3MB

Download
memory/680-138-0x00007FF60B4C0000-0x00007FF60B814000-memory.dmp

Filesize
3.3MB

Download
memory/680-107-0x00007FF60B4C0000-0x00007FF60B814000-memory.dmp

Filesize
3.3MB

Download
memory/756-146-0x00007FF61F3F0000-0x00007FF61F744000-memory.dmp

Filesize
3.3MB

Download
memory/756-44-0x00007FF61F3F0000-0x00007FF61F744000-memory.dmp

Filesize
3.3MB

Download
memory/756-120-0x00007FF61F3F0000-0x00007FF61F744000-memory.dmp

Filesize
3.3MB

Download
memory/1264-51-0x00007FF611CE0000-0x00007FF612034000-memory.dmp

Filesize
3.3MB

Download
memory/1264-125-0x00007FF611CE0000-0x00007FF612034000-memory.dmp

Filesize
3.3MB

Download
memory/1264-149-0x00007FF611CE0000-0x00007FF612034000-memory.dmp

Filesize
3.3MB

Download
memory/1280-144-0x00007FF7D2E30000-0x00007FF7D3184000-memory.dmp

Filesize
3.3MB

Download
memory/1280-25-0x00007FF7D2E30000-0x00007FF7D3184000-memory.dmp

Filesize
3.3MB

Download
memory/1280-105-0x00007FF7D2E30000-0x00007FF7D3184000-memory.dmp

Filesize
3.3MB

Download
memory/1436-98-0x00007FF676340000-0x00007FF676694000-memory.dmp

Filesize
3.3MB

Download
memory/1436-37-0x00007FF676340000-0x00007FF676694000-memory.dmp

Filesize
3.3MB

Download
memory/1436-147-0x00007FF676340000-0x00007FF676694000-memory.dmp

Filesize
3.3MB

Download
memory/1440-143-0x00007FF706FA0000-0x00007FF7072F4000-memory.dmp

Filesize
3.3MB

Download
memory/1440-19-0x00007FF706FA0000-0x00007FF7072F4000-memory.dmp

Filesize
3.3MB

Download
memory/1440-95-0x00007FF706FA0000-0x00007FF7072F4000-memory.dmp

Filesize
3.3MB

Download
memory/1596-92-0x00007FF6FA030000-0x00007FF6FA384000-memory.dmp

Filesize
3.3MB

Download
memory/1596-154-0x00007FF6FA030000-0x00007FF6FA384000-memory.dmp

Filesize
3.3MB

Download
memory/1696-97-0x00007FF6D7400000-0x00007FF6D7754000-memory.dmp

Filesize
3.3MB

Download
memory/1696-155-0x00007FF6D7400000-0x00007FF6D7754000-memory.dmp

Filesize
3.3MB

Download
memory/1712-145-0x00007FF647840000-0x00007FF647B94000-memory.dmp

Filesize
3.3MB

Download
memory/1712-42-0x00007FF647840000-0x00007FF647B94000-memory.dmp

Filesize
3.3MB

Download
memory/2068-68-0x00007FF6738D0000-0x00007FF673C24000-memory.dmp

Filesize
3.3MB

Download
memory/2068-153-0x00007FF6738D0000-0x00007FF673C24000-memory.dmp

Filesize
3.3MB

Download
memory/2068-135-0x00007FF6738D0000-0x00007FF673C24000-memory.dmp

Filesize
3.3MB

Download
memory/2532-161-0x00007FF680B20000-0x00007FF680E74000-memory.dmp

Filesize
3.3MB

Download
memory/2532-134-0x00007FF680B20000-0x00007FF680E74000-memory.dmp

Filesize
3.3MB

Download
memory/2576-8-0x00007FF6060B0000-0x00007FF606404000-memory.dmp

Filesize
3.3MB

Download
memory/2576-141-0x00007FF6060B0000-0x00007FF606404000-memory.dmp

Filesize
3.3MB

Download
memory/2776-142-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp

Filesize
3.3MB

Download
memory/2776-14-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp

Filesize
3.3MB

Download
memory/3268-114-0x00007FF74CAB0000-0x00007FF74CE04000-memory.dmp

Filesize
3.3MB

Download
memory/3268-139-0x00007FF74CAB0000-0x00007FF74CE04000-memory.dmp

Filesize
3.3MB

Download
memory/3268-158-0x00007FF74CAB0000-0x00007FF74CE04000-memory.dmp

Filesize
3.3MB

Download
memory/3924-140-0x00007FF71B7E0000-0x00007FF71BB34000-memory.dmp

Filesize
3.3MB

Download
memory/3924-133-0x00007FF71B7E0000-0x00007FF71BB34000-memory.dmp

Filesize
3.3MB

Download
memory/3924-160-0x00007FF71B7E0000-0x00007FF71BB34000-memory.dmp

Filesize
3.3MB

Download
memory/4024-151-0x00007FF77D4B0000-0x00007FF77D804000-memory.dmp

Filesize
3.3MB

Download
memory/4024-136-0x00007FF77D4B0000-0x00007FF77D804000-memory.dmp

Filesize
3.3MB

Download
memory/4024-73-0x00007FF77D4B0000-0x00007FF77D804000-memory.dmp

Filesize
3.3MB

Download
memory/4276-0-0x00007FF7B79B0000-0x00007FF7B7D04000-memory.dmp

Filesize
3.3MB

Download
memory/4276-80-0x00007FF7B79B0000-0x00007FF7B7D04000-memory.dmp

Filesize
3.3MB

Download
memory/4276-1-0x000002CC2DB40000-0x000002CC2DB50000-memory.dmp

Filesize
64KB

Download
memory/4340-124-0x00007FF667D90000-0x00007FF6680E4000-memory.dmp

Filesize
3.3MB

Download
memory/4340-159-0x00007FF667D90000-0x00007FF6680E4000-memory.dmp

Filesize
3.3MB

Download
memory/4412-83-0x00007FF6245F0000-0x00007FF624944000-memory.dmp

Filesize
3.3MB

Download
memory/4412-152-0x00007FF6245F0000-0x00007FF624944000-memory.dmp

Filesize
3.3MB

Download
memory/4416-63-0x00007FF7D8370000-0x00007FF7D86C4000-memory.dmp

Filesize
3.3MB

Download
memory/4416-150-0x00007FF7D8370000-0x00007FF7D86C4000-memory.dmp

Filesize
3.3MB

Download
memory/5048-156-0x00007FF73ED10000-0x00007FF73F064000-memory.dmp

Filesize
3.3MB

Download
memory/5048-137-0x00007FF73ED10000-0x00007FF73F064000-memory.dmp

Filesize
3.3MB

Download
memory/5048-104-0x00007FF73ED10000-0x00007FF73F064000-memory.dmp

Filesize
3.3MB

Download
memory/5080-148-0x00007FF7C90F0000-0x00007FF7C9444000-memory.dmp

Filesize
3.3MB

Download
memory/5080-52-0x00007FF7C90F0000-0x00007FF7C9444000-memory.dmp

Filesize
3.3MB

Download
memory/5080-126-0x00007FF7C90F0000-0x00007FF7C9444000-memory.dmp

Filesize
3.3MB

Download