cobaltstrike | 36472cc445d6f374fcaf3a3e7666e49900230b14aca1565cfba4c20a914fad93

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

e9ae093f07a1e6a52e42414755bcf90d
SHA1

3f18cdf4c26821aa947464b60f6fa9bc7fc33fa6
SHA256

36472cc445d6f374fcaf3a3e7666e49900230b14aca1565cfba4c20a914fad93
SHA512

ad4c309cb5678a79fb0f84f00f605e1c76da572972e44f4a265cf0a707c2c62d0eac1213264a8fd958c0a73b99edd22fffb8cfd08197af9b92b614706d968f81
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU7:Q+856utgpPF8u/77

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023406-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023408-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023407-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023409-24.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340a-29.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340b-35.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023404-40.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340c-46.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340d-55.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340e-60.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340f-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023412-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023411-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023413-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023414-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-117.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341a-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023416-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023415-103.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023406-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023408-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023407-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023409-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340a-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340b-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023404-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340c-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340d-55.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340e-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340f-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023412-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023411-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023413-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023414-87.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023417-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023419-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341a-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023418-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023416-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023415-103.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4068-0-0x00007FF7BF670000-0x00007FF7BF9C4000-memory.dmp	UPX
behavioral2/files/0x0008000000023406-5.dat	UPX
behavioral2/files/0x0007000000023408-9.dat	UPX
behavioral2/files/0x0007000000023407-10.dat	UPX
behavioral2/memory/3976-16-0x00007FF7F6500000-0x00007FF7F6854000-memory.dmp	UPX
behavioral2/memory/1940-6-0x00007FF6228C0000-0x00007FF622C14000-memory.dmp	UPX
behavioral2/memory/2512-26-0x00007FF6560F0000-0x00007FF656444000-memory.dmp	UPX
behavioral2/files/0x0007000000023409-24.dat	UPX
behavioral2/memory/2488-22-0x00007FF756EB0000-0x00007FF757204000-memory.dmp	UPX
behavioral2/files/0x000700000002340a-29.dat	UPX
behavioral2/memory/4284-31-0x00007FF6BDFD0000-0x00007FF6BE324000-memory.dmp	UPX
behavioral2/files/0x000700000002340b-35.dat	UPX
behavioral2/memory/3448-37-0x00007FF6EE0D0000-0x00007FF6EE424000-memory.dmp	UPX
behavioral2/files/0x0008000000023404-40.dat	UPX
behavioral2/files/0x000700000002340c-46.dat	UPX
behavioral2/memory/1640-47-0x00007FF700D60000-0x00007FF7010B4000-memory.dmp	UPX
behavioral2/files/0x000700000002340d-55.dat	UPX
behavioral2/files/0x000700000002340e-60.dat	UPX
behavioral2/memory/4068-62-0x00007FF7BF670000-0x00007FF7BF9C4000-memory.dmp	UPX
behavioral2/memory/1064-63-0x00007FF650730000-0x00007FF650A84000-memory.dmp	UPX
behavioral2/memory/4204-54-0x00007FF6E83D0000-0x00007FF6E8724000-memory.dmp	UPX
behavioral2/memory/2996-51-0x00007FF69F7F0000-0x00007FF69FB44000-memory.dmp	UPX
behavioral2/files/0x000700000002340f-66.dat	UPX
behavioral2/files/0x0007000000023412-74.dat	UPX
behavioral2/files/0x0007000000023411-72.dat	UPX
behavioral2/files/0x0007000000023413-83.dat	UPX
behavioral2/files/0x0007000000023414-87.dat	UPX
behavioral2/files/0x0007000000023417-100.dat	UPX
behavioral2/files/0x0007000000023419-117.dat	UPX
behavioral2/files/0x000700000002341a-122.dat	UPX
behavioral2/files/0x0007000000023418-114.dat	UPX
behavioral2/files/0x0007000000023416-105.dat	UPX
behavioral2/files/0x0007000000023415-103.dat	UPX
behavioral2/memory/2940-91-0x00007FF6DB5D0000-0x00007FF6DB924000-memory.dmp	UPX
behavioral2/memory/4932-84-0x00007FF7F99D0000-0x00007FF7F9D24000-memory.dmp	UPX
behavioral2/memory/1508-81-0x00007FF72CAA0000-0x00007FF72CDF4000-memory.dmp	UPX
behavioral2/memory/3976-77-0x00007FF7F6500000-0x00007FF7F6854000-memory.dmp	UPX
behavioral2/memory/1944-71-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp	UPX
behavioral2/memory/1940-69-0x00007FF6228C0000-0x00007FF622C14000-memory.dmp	UPX
behavioral2/memory/4040-124-0x00007FF686F30000-0x00007FF687284000-memory.dmp	UPX
behavioral2/memory/4376-125-0x00007FF7D1AC0000-0x00007FF7D1E14000-memory.dmp	UPX
behavioral2/memory/3708-127-0x00007FF621DC0000-0x00007FF622114000-memory.dmp	UPX
behavioral2/memory/3648-126-0x00007FF6465D0000-0x00007FF646924000-memory.dmp	UPX
behavioral2/memory/3528-128-0x00007FF7DD580000-0x00007FF7DD8D4000-memory.dmp	UPX
behavioral2/memory/4652-129-0x00007FF7681B0000-0x00007FF768504000-memory.dmp	UPX
behavioral2/memory/852-130-0x00007FF70F8F0000-0x00007FF70FC44000-memory.dmp	UPX
behavioral2/memory/4284-131-0x00007FF6BDFD0000-0x00007FF6BE324000-memory.dmp	UPX
behavioral2/memory/3448-132-0x00007FF6EE0D0000-0x00007FF6EE424000-memory.dmp	UPX
behavioral2/memory/2996-133-0x00007FF69F7F0000-0x00007FF69FB44000-memory.dmp	UPX
behavioral2/memory/4204-134-0x00007FF6E83D0000-0x00007FF6E8724000-memory.dmp	UPX
behavioral2/memory/1944-135-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp	UPX
behavioral2/memory/4932-136-0x00007FF7F99D0000-0x00007FF7F9D24000-memory.dmp	UPX
behavioral2/memory/1508-137-0x00007FF72CAA0000-0x00007FF72CDF4000-memory.dmp	UPX
behavioral2/memory/2940-138-0x00007FF6DB5D0000-0x00007FF6DB924000-memory.dmp	UPX
behavioral2/memory/1940-139-0x00007FF6228C0000-0x00007FF622C14000-memory.dmp	UPX
behavioral2/memory/3976-141-0x00007FF7F6500000-0x00007FF7F6854000-memory.dmp	UPX
behavioral2/memory/2488-140-0x00007FF756EB0000-0x00007FF757204000-memory.dmp	UPX
behavioral2/memory/2512-142-0x00007FF6560F0000-0x00007FF656444000-memory.dmp	UPX
behavioral2/memory/4284-143-0x00007FF6BDFD0000-0x00007FF6BE324000-memory.dmp	UPX
behavioral2/memory/3448-144-0x00007FF6EE0D0000-0x00007FF6EE424000-memory.dmp	UPX
behavioral2/memory/1640-145-0x00007FF700D60000-0x00007FF7010B4000-memory.dmp	UPX
behavioral2/memory/2996-146-0x00007FF69F7F0000-0x00007FF69FB44000-memory.dmp	UPX
behavioral2/memory/4204-147-0x00007FF6E83D0000-0x00007FF6E8724000-memory.dmp	UPX
behavioral2/memory/1064-148-0x00007FF650730000-0x00007FF650A84000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4068-0-0x00007FF7BF670000-0x00007FF7BF9C4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023406-5.dat	xmrig
behavioral2/files/0x0007000000023408-9.dat	xmrig
behavioral2/files/0x0007000000023407-10.dat	xmrig
behavioral2/memory/3976-16-0x00007FF7F6500000-0x00007FF7F6854000-memory.dmp	xmrig
behavioral2/memory/1940-6-0x00007FF6228C0000-0x00007FF622C14000-memory.dmp	xmrig
behavioral2/memory/2512-26-0x00007FF6560F0000-0x00007FF656444000-memory.dmp	xmrig
behavioral2/files/0x0007000000023409-24.dat	xmrig
behavioral2/memory/2488-22-0x00007FF756EB0000-0x00007FF757204000-memory.dmp	xmrig
behavioral2/files/0x000700000002340a-29.dat	xmrig
behavioral2/memory/4284-31-0x00007FF6BDFD0000-0x00007FF6BE324000-memory.dmp	xmrig
behavioral2/files/0x000700000002340b-35.dat	xmrig
behavioral2/memory/3448-37-0x00007FF6EE0D0000-0x00007FF6EE424000-memory.dmp	xmrig
behavioral2/files/0x0008000000023404-40.dat	xmrig
behavioral2/files/0x000700000002340c-46.dat	xmrig
behavioral2/memory/1640-47-0x00007FF700D60000-0x00007FF7010B4000-memory.dmp	xmrig
behavioral2/files/0x000700000002340d-55.dat	xmrig
behavioral2/files/0x000700000002340e-60.dat	xmrig
behavioral2/memory/4068-62-0x00007FF7BF670000-0x00007FF7BF9C4000-memory.dmp	xmrig
behavioral2/memory/1064-63-0x00007FF650730000-0x00007FF650A84000-memory.dmp	xmrig
behavioral2/memory/4204-54-0x00007FF6E83D0000-0x00007FF6E8724000-memory.dmp	xmrig
behavioral2/memory/2996-51-0x00007FF69F7F0000-0x00007FF69FB44000-memory.dmp	xmrig
behavioral2/files/0x000700000002340f-66.dat	xmrig
behavioral2/files/0x0007000000023412-74.dat	xmrig
behavioral2/files/0x0007000000023411-72.dat	xmrig
behavioral2/files/0x0007000000023413-83.dat	xmrig
behavioral2/files/0x0007000000023414-87.dat	xmrig
behavioral2/files/0x0007000000023417-100.dat	xmrig
behavioral2/files/0x0007000000023419-117.dat	xmrig
behavioral2/files/0x000700000002341a-122.dat	xmrig
behavioral2/files/0x0007000000023418-114.dat	xmrig
behavioral2/files/0x0007000000023416-105.dat	xmrig
behavioral2/files/0x0007000000023415-103.dat	xmrig
behavioral2/memory/2940-91-0x00007FF6DB5D0000-0x00007FF6DB924000-memory.dmp	xmrig
behavioral2/memory/4932-84-0x00007FF7F99D0000-0x00007FF7F9D24000-memory.dmp	xmrig
behavioral2/memory/1508-81-0x00007FF72CAA0000-0x00007FF72CDF4000-memory.dmp	xmrig
behavioral2/memory/3976-77-0x00007FF7F6500000-0x00007FF7F6854000-memory.dmp	xmrig
behavioral2/memory/1944-71-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp	xmrig
behavioral2/memory/1940-69-0x00007FF6228C0000-0x00007FF622C14000-memory.dmp	xmrig
behavioral2/memory/4040-124-0x00007FF686F30000-0x00007FF687284000-memory.dmp	xmrig
behavioral2/memory/4376-125-0x00007FF7D1AC0000-0x00007FF7D1E14000-memory.dmp	xmrig
behavioral2/memory/3708-127-0x00007FF621DC0000-0x00007FF622114000-memory.dmp	xmrig
behavioral2/memory/3648-126-0x00007FF6465D0000-0x00007FF646924000-memory.dmp	xmrig
behavioral2/memory/3528-128-0x00007FF7DD580000-0x00007FF7DD8D4000-memory.dmp	xmrig
behavioral2/memory/4652-129-0x00007FF7681B0000-0x00007FF768504000-memory.dmp	xmrig
behavioral2/memory/852-130-0x00007FF70F8F0000-0x00007FF70FC44000-memory.dmp	xmrig
behavioral2/memory/4284-131-0x00007FF6BDFD0000-0x00007FF6BE324000-memory.dmp	xmrig
behavioral2/memory/3448-132-0x00007FF6EE0D0000-0x00007FF6EE424000-memory.dmp	xmrig
behavioral2/memory/2996-133-0x00007FF69F7F0000-0x00007FF69FB44000-memory.dmp	xmrig
behavioral2/memory/4204-134-0x00007FF6E83D0000-0x00007FF6E8724000-memory.dmp	xmrig
behavioral2/memory/1944-135-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp	xmrig
behavioral2/memory/4932-136-0x00007FF7F99D0000-0x00007FF7F9D24000-memory.dmp	xmrig
behavioral2/memory/1508-137-0x00007FF72CAA0000-0x00007FF72CDF4000-memory.dmp	xmrig
behavioral2/memory/2940-138-0x00007FF6DB5D0000-0x00007FF6DB924000-memory.dmp	xmrig
behavioral2/memory/1940-139-0x00007FF6228C0000-0x00007FF622C14000-memory.dmp	xmrig
behavioral2/memory/3976-141-0x00007FF7F6500000-0x00007FF7F6854000-memory.dmp	xmrig
behavioral2/memory/2488-140-0x00007FF756EB0000-0x00007FF757204000-memory.dmp	xmrig
behavioral2/memory/2512-142-0x00007FF6560F0000-0x00007FF656444000-memory.dmp	xmrig
behavioral2/memory/4284-143-0x00007FF6BDFD0000-0x00007FF6BE324000-memory.dmp	xmrig
behavioral2/memory/3448-144-0x00007FF6EE0D0000-0x00007FF6EE424000-memory.dmp	xmrig
behavioral2/memory/1640-145-0x00007FF700D60000-0x00007FF7010B4000-memory.dmp	xmrig
behavioral2/memory/2996-146-0x00007FF69F7F0000-0x00007FF69FB44000-memory.dmp	xmrig
behavioral2/memory/4204-147-0x00007FF6E83D0000-0x00007FF6E8724000-memory.dmp	xmrig
behavioral2/memory/1064-148-0x00007FF650730000-0x00007FF650A84000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1940	XJLaUQG.exe
3976	aBuWGFy.exe
2488	hGUexfj.exe
2512	IpfNrUX.exe
4284	RudMQJg.exe
3448	MCpcNyC.exe
1640	whCGNuv.exe
2996	gRgItjb.exe
4204	wfUEtYV.exe
1064	uSoLxsp.exe
1944	pUcdsJL.exe
1508	cKeAlQF.exe
4932	uJUclHT.exe
4040	LxfmAfK.exe
2940	OymefEi.exe
852	NwdcEJD.exe
4376	zfKsDuL.exe
3648	RiNVTvn.exe
3708	FvzKRqq.exe
3528	zoRbwbc.exe
4652	JyrXRcU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4068-0-0x00007FF7BF670000-0x00007FF7BF9C4000-memory.dmp	upx
behavioral2/files/0x0008000000023406-5.dat	upx
behavioral2/files/0x0007000000023408-9.dat	upx
behavioral2/files/0x0007000000023407-10.dat	upx
behavioral2/memory/3976-16-0x00007FF7F6500000-0x00007FF7F6854000-memory.dmp	upx
behavioral2/memory/1940-6-0x00007FF6228C0000-0x00007FF622C14000-memory.dmp	upx
behavioral2/memory/2512-26-0x00007FF6560F0000-0x00007FF656444000-memory.dmp	upx
behavioral2/files/0x0007000000023409-24.dat	upx
behavioral2/memory/2488-22-0x00007FF756EB0000-0x00007FF757204000-memory.dmp	upx
behavioral2/files/0x000700000002340a-29.dat	upx
behavioral2/memory/4284-31-0x00007FF6BDFD0000-0x00007FF6BE324000-memory.dmp	upx
behavioral2/files/0x000700000002340b-35.dat	upx
behavioral2/memory/3448-37-0x00007FF6EE0D0000-0x00007FF6EE424000-memory.dmp	upx
behavioral2/files/0x0008000000023404-40.dat	upx
behavioral2/files/0x000700000002340c-46.dat	upx
behavioral2/memory/1640-47-0x00007FF700D60000-0x00007FF7010B4000-memory.dmp	upx
behavioral2/files/0x000700000002340d-55.dat	upx
behavioral2/files/0x000700000002340e-60.dat	upx
behavioral2/memory/4068-62-0x00007FF7BF670000-0x00007FF7BF9C4000-memory.dmp	upx
behavioral2/memory/1064-63-0x00007FF650730000-0x00007FF650A84000-memory.dmp	upx
behavioral2/memory/4204-54-0x00007FF6E83D0000-0x00007FF6E8724000-memory.dmp	upx
behavioral2/memory/2996-51-0x00007FF69F7F0000-0x00007FF69FB44000-memory.dmp	upx
behavioral2/files/0x000700000002340f-66.dat	upx
behavioral2/files/0x0007000000023412-74.dat	upx
behavioral2/files/0x0007000000023411-72.dat	upx
behavioral2/files/0x0007000000023413-83.dat	upx
behavioral2/files/0x0007000000023414-87.dat	upx
behavioral2/files/0x0007000000023417-100.dat	upx
behavioral2/files/0x0007000000023419-117.dat	upx
behavioral2/files/0x000700000002341a-122.dat	upx
behavioral2/files/0x0007000000023418-114.dat	upx
behavioral2/files/0x0007000000023416-105.dat	upx
behavioral2/files/0x0007000000023415-103.dat	upx
behavioral2/memory/2940-91-0x00007FF6DB5D0000-0x00007FF6DB924000-memory.dmp	upx
behavioral2/memory/4932-84-0x00007FF7F99D0000-0x00007FF7F9D24000-memory.dmp	upx
behavioral2/memory/1508-81-0x00007FF72CAA0000-0x00007FF72CDF4000-memory.dmp	upx
behavioral2/memory/3976-77-0x00007FF7F6500000-0x00007FF7F6854000-memory.dmp	upx
behavioral2/memory/1944-71-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp	upx
behavioral2/memory/1940-69-0x00007FF6228C0000-0x00007FF622C14000-memory.dmp	upx
behavioral2/memory/4040-124-0x00007FF686F30000-0x00007FF687284000-memory.dmp	upx
behavioral2/memory/4376-125-0x00007FF7D1AC0000-0x00007FF7D1E14000-memory.dmp	upx
behavioral2/memory/3708-127-0x00007FF621DC0000-0x00007FF622114000-memory.dmp	upx
behavioral2/memory/3648-126-0x00007FF6465D0000-0x00007FF646924000-memory.dmp	upx
behavioral2/memory/3528-128-0x00007FF7DD580000-0x00007FF7DD8D4000-memory.dmp	upx
behavioral2/memory/4652-129-0x00007FF7681B0000-0x00007FF768504000-memory.dmp	upx
behavioral2/memory/852-130-0x00007FF70F8F0000-0x00007FF70FC44000-memory.dmp	upx
behavioral2/memory/4284-131-0x00007FF6BDFD0000-0x00007FF6BE324000-memory.dmp	upx
behavioral2/memory/3448-132-0x00007FF6EE0D0000-0x00007FF6EE424000-memory.dmp	upx
behavioral2/memory/2996-133-0x00007FF69F7F0000-0x00007FF69FB44000-memory.dmp	upx
behavioral2/memory/4204-134-0x00007FF6E83D0000-0x00007FF6E8724000-memory.dmp	upx
behavioral2/memory/1944-135-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp	upx
behavioral2/memory/4932-136-0x00007FF7F99D0000-0x00007FF7F9D24000-memory.dmp	upx
behavioral2/memory/1508-137-0x00007FF72CAA0000-0x00007FF72CDF4000-memory.dmp	upx
behavioral2/memory/2940-138-0x00007FF6DB5D0000-0x00007FF6DB924000-memory.dmp	upx
behavioral2/memory/1940-139-0x00007FF6228C0000-0x00007FF622C14000-memory.dmp	upx
behavioral2/memory/3976-141-0x00007FF7F6500000-0x00007FF7F6854000-memory.dmp	upx
behavioral2/memory/2488-140-0x00007FF756EB0000-0x00007FF757204000-memory.dmp	upx
behavioral2/memory/2512-142-0x00007FF6560F0000-0x00007FF656444000-memory.dmp	upx
behavioral2/memory/4284-143-0x00007FF6BDFD0000-0x00007FF6BE324000-memory.dmp	upx
behavioral2/memory/3448-144-0x00007FF6EE0D0000-0x00007FF6EE424000-memory.dmp	upx
behavioral2/memory/1640-145-0x00007FF700D60000-0x00007FF7010B4000-memory.dmp	upx
behavioral2/memory/2996-146-0x00007FF69F7F0000-0x00007FF69FB44000-memory.dmp	upx
behavioral2/memory/4204-147-0x00007FF6E83D0000-0x00007FF6E8724000-memory.dmp	upx
behavioral2/memory/1064-148-0x00007FF650730000-0x00007FF650A84000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\LxfmAfK.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XJLaUQG.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IpfNrUX.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RudMQJg.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FvzKRqq.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JyrXRcU.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cKeAlQF.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uJUclHT.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NwdcEJD.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pUcdsJL.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zfKsDuL.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RiNVTvn.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zoRbwbc.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gRgItjb.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wfUEtYV.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uSoLxsp.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\whCGNuv.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OymefEi.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aBuWGFy.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hGUexfj.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MCpcNyC.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 1940	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	83
PID 4068 wrote to memory of 1940	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	83
PID 4068 wrote to memory of 3976	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	84
PID 4068 wrote to memory of 3976	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	84
PID 4068 wrote to memory of 2488	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	85
PID 4068 wrote to memory of 2488	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	85
PID 4068 wrote to memory of 2512	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	86
PID 4068 wrote to memory of 2512	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	86
PID 4068 wrote to memory of 4284	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	87
PID 4068 wrote to memory of 4284	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	87
PID 4068 wrote to memory of 3448	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	88
PID 4068 wrote to memory of 3448	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	88
PID 4068 wrote to memory of 1640	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	89
PID 4068 wrote to memory of 1640	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	89
PID 4068 wrote to memory of 2996	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	90
PID 4068 wrote to memory of 2996	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	90
PID 4068 wrote to memory of 4204	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	91
PID 4068 wrote to memory of 4204	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	91
PID 4068 wrote to memory of 1064	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	92
PID 4068 wrote to memory of 1064	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	92
PID 4068 wrote to memory of 1944	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	93
PID 4068 wrote to memory of 1944	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	93
PID 4068 wrote to memory of 1508	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	94
PID 4068 wrote to memory of 1508	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	94
PID 4068 wrote to memory of 4932	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	95
PID 4068 wrote to memory of 4932	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	95
PID 4068 wrote to memory of 4040	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	96
PID 4068 wrote to memory of 4040	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	96
PID 4068 wrote to memory of 2940	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	97
PID 4068 wrote to memory of 2940	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	97
PID 4068 wrote to memory of 852	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	98
PID 4068 wrote to memory of 852	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	98
PID 4068 wrote to memory of 4376	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	99
PID 4068 wrote to memory of 4376	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	99
PID 4068 wrote to memory of 3648	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	100
PID 4068 wrote to memory of 3648	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	100
PID 4068 wrote to memory of 3708	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	101
PID 4068 wrote to memory of 3708	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	101
PID 4068 wrote to memory of 3528	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	102
PID 4068 wrote to memory of 3528	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	102
PID 4068 wrote to memory of 4652	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	103
PID 4068 wrote to memory of 4652	4068	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\System\XJLaUQG.exe
  C:\Windows\System\XJLaUQG.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\aBuWGFy.exe
  C:\Windows\System\aBuWGFy.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\hGUexfj.exe
  C:\Windows\System\hGUexfj.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\IpfNrUX.exe
  C:\Windows\System\IpfNrUX.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\RudMQJg.exe
  C:\Windows\System\RudMQJg.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System\MCpcNyC.exe
  C:\Windows\System\MCpcNyC.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\whCGNuv.exe
  C:\Windows\System\whCGNuv.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\gRgItjb.exe
  C:\Windows\System\gRgItjb.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\wfUEtYV.exe
  C:\Windows\System\wfUEtYV.exe
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Windows\System\uSoLxsp.exe
  C:\Windows\System\uSoLxsp.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\System\pUcdsJL.exe
  C:\Windows\System\pUcdsJL.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\cKeAlQF.exe
  C:\Windows\System\cKeAlQF.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\uJUclHT.exe
  C:\Windows\System\uJUclHT.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\LxfmAfK.exe
  C:\Windows\System\LxfmAfK.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\OymefEi.exe
  C:\Windows\System\OymefEi.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\NwdcEJD.exe
  C:\Windows\System\NwdcEJD.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System\zfKsDuL.exe
  C:\Windows\System\zfKsDuL.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\RiNVTvn.exe
  C:\Windows\System\RiNVTvn.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\FvzKRqq.exe
  C:\Windows\System\FvzKRqq.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\zoRbwbc.exe
  C:\Windows\System\zoRbwbc.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\JyrXRcU.exe
  C:\Windows\System\JyrXRcU.exe
  2⤵
  - Executes dropped EXE
  PID:4652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FvzKRqq.exe

Filesize
5.9MB

MD5
8b2e249bea4c372a83106f26759e849b

SHA1
e5dfd5e6b82e281875a614c23d9c7e0c7fae98a0

SHA256
44f3328e7af6c97626b6982d7aaa9d48869d1d5e43f8ccf6751493c4bebe9783

SHA512
d82ae028c9105986a2e2f29a6fc565e0053a4d0dee8e66cffbf7ce267bdeb5f01d8c84e7dea93b9e574e6280a5fc2a76442baa80f571c43c00f201d9cb6faaad

Download Submit
C:\Windows\System\IpfNrUX.exe

Filesize
5.9MB

MD5
adb93179c34e1513ce6f7a596a593827

SHA1
fdc3668b38524c9eca23f0c23b8020aa99c5b1e0

SHA256
3812cfed235dcb120958b664936189a88c89ed36eaddf4d1f4eb19388a65a205

SHA512
bb7198a4c5e67c76c7748a390370376d87237d7173fccb9e538fbe179372aef4cbab40630cda5764bc01fdf1428d53c45b8f4aebc57e66d2f3d8ac574db7f1ed

Download Submit
C:\Windows\System\JyrXRcU.exe

Filesize
5.9MB

MD5
d69fcd69d1898606804e40e5550f6b23

SHA1
1eae31aed8dee2d8c3465260f078dbd7a6b8217a

SHA256
5e65ec9e3ccaca1acf554f1e40579d8e359c79510aee8a9c40ea8447a9f4b010

SHA512
f5168247761329303b8035e053489023b61a47b8efe142c53427060abef1d3670730bb7bf8d01c3c2cb94e86af70d8ccdeb5896fb3c95aca64cb93e4ddf53e16

Download Submit
C:\Windows\System\LxfmAfK.exe

Filesize
5.9MB

MD5
fb32cb9d6f8ee15b6f574a2ede4eaa72

SHA1
9448d9d51b215ecc996135052f48f81fd9174ffb

SHA256
7e2d2b0194e81add6f6b7ada2cc03138a8f128c721861e9fab91eeb3a6fceec7

SHA512
e73844be2cae7042df418c3a8e813b6ecc9ed7fe4a56c855d30aa485c6a618ccab7119d180797e4a65453000a2e72491b3430daf379c149f0dc3fee73eaecce7

Download Submit
C:\Windows\System\MCpcNyC.exe

Filesize
5.9MB

MD5
a0d7ba6a07aafbe47fbd53587b67af13

SHA1
040ba2d77c1efbabcd747988055b27147193b1f0

SHA256
9420310a34069a5fedc2a115f5a33eb73faf668aea764c57d5012799b5e62eda

SHA512
b068832d3b7fc84e7d54c8607fb9d5ac482371131aebfbd02ef4480b8cf8b8b60faccce07f5b7cd323938e346020e138d55c799bcfe672bba2a7a6889d6f95a4

Download Submit
C:\Windows\System\NwdcEJD.exe

Filesize
5.9MB

MD5
7b501b65330b5f3e9500f9be3e7655a4

SHA1
2b00de27f6a39948ceb59b9c4333ee9ed5418eb4

SHA256
abb4181ae862fc81d21c2c844ef372805e13321c6f0c242fb2c46f6f8732ccb6

SHA512
9a1b88b10b67531ecbb2d5690bafd718613cfbe176ce041a5cf9a1a49b418452d06b546acd9ec26aeb2c8ad6806564efe2dcfee0dd68a7891dfd8c8638042624

Download Submit
C:\Windows\System\OymefEi.exe

Filesize
5.9MB

MD5
8ec14a3d45f075cb4475eda3e2a219bd

SHA1
f5b7889e1c8278032a503e0a08bb191d7b70bbac

SHA256
78edc2efe1cbd888e77a031be8b0c77b78e1f4467e3c8e9bfbdde336cb97ec79

SHA512
24db776869b7a41c671fd1127179436cf2fa4fa621f3462376367c87807659ac708850ac2580a53390e443c39b1acb6fc62ae367fbc2bde615d2a97de107bbc5

Download Submit
C:\Windows\System\RiNVTvn.exe

Filesize
5.9MB

MD5
56da0ed605a1d536d0414d3834646760

SHA1
8bc3addf095c516d6f92947c185b466bb9fe5e4e

SHA256
a87282d0b8b9cd0738baae13b67d861518abb66684eeab8a4463cb59486c634c

SHA512
c7200b74205239361dae80a9943a54ec7ef5e6f55161b83fa03b2cd336d1393095a2df4056bdd8038e8f937ed23c63ca4316ed136af66235ebc94ff5976b6255

Download Submit
C:\Windows\System\RudMQJg.exe

Filesize
5.9MB

MD5
3bc487e593c98254e2286970541abbc0

SHA1
fa8d11c5cfecc8cb5e32ef26d9e342cbd3b39a47

SHA256
d25d957d498c441918b48b4e653bd2c84baac4722b5e8385a00f5368a47fd981

SHA512
3c4cd7dbee620c271142def7eaf2d398780a362fe657e5f1d5408da1e47c419ab8e8e8f8bba011553a1f65b06021bafdcb0ba753ff74f3477b33fb8c309c9981

Download Submit
C:\Windows\System\XJLaUQG.exe

Filesize
5.9MB

MD5
68aa3115b235e263acfaa6abaec79302

SHA1
a2bb2eeff40852ff0e2ddd7d610963c8493581bb

SHA256
1c1da9fd75b37668d5b4b7dca7853baf76281d1a32d6245b32c06d850c4ab17b

SHA512
50cd48ad10835aa5b51ae0cf98bd5ad132502b2fc06f295436f7841b8b9d956dc7335e772cd8073d074471f6083d98112ffb2fe6d3b6532510f126ce52456f3e

Download Submit
C:\Windows\System\aBuWGFy.exe

Filesize
5.9MB

MD5
65eebe3d3e15a4f472841218383414e9

SHA1
3a7d0b2c5f3c7d65072930c3f6dd90962c388d38

SHA256
65293ecac710621485120e0211fb790dee22f5ad883ccd737a135eb7e4bc39d8

SHA512
5229ad4f7683633de3d8b7cb336ccf10bf85267eb5ee04c9bb91d8042401ab523420e448a38093f04afc98e74eeb8ad0e34c5d85c81d08dbffcd9aa59e88f430

Download Submit
C:\Windows\System\cKeAlQF.exe

Filesize
5.9MB

MD5
95cd0d6cfd0cfe20b45d1d56353a4b88

SHA1
e1b5d156ee7cac06408f2825e82fb34aaf96b991

SHA256
df728e41c14764cb7b69d1ef09f21f88607e1a49ca58d8faa3fd212241783cd5

SHA512
97e68ac14543e2e61165e8cb01b3425a6030e90b63beeea4cf46a4bba5e50b8bb350b257908c3f438c3e59354e85f5818978b916c36786090929a5a077a6f95d

Download Submit
C:\Windows\System\gRgItjb.exe

Filesize
5.9MB

MD5
56a3579d376b64d8066e4036b5779a55

SHA1
2667a37b9ccb48f0499a266e55d9803af1bbbaa6

SHA256
aa8bcfa53086bdcbc32a576fc7dc04cc7d68ffdf122637e2937eed8aa3d143b8

SHA512
4203bc3ef3c786aad37c7de4d56c98ca90721cc604ea29941b22bc21ec42e9b91946161fafbe98112730550b02f1e82499a4fa45aa77e8b5a9b427f1365965aa

Download Submit
C:\Windows\System\hGUexfj.exe

Filesize
5.9MB

MD5
5bb0186a26d1bb8e934c9d9a181f4b81

SHA1
efd92aa1a26de372e9bd2e2e31267775ecaf9887

SHA256
25aa15567e7573c9851b48e63cb2d77b10e9364374939dcdf8b9784beacef9c4

SHA512
b721ac3c8e3b8c55f90216328e3388fe68acd5627caddff6a6654b3d8ee335bcc233a9ece0669a51e8cba0a526df7c2d234f18b34296f327a73bff28ad594939

Download Submit
C:\Windows\System\pUcdsJL.exe

Filesize
5.9MB

MD5
7390d48d146a2c0a0e49245750e10bf0

SHA1
a55690a153d6df5d462ff19975dd2395d45a5734

SHA256
3dca097711918cfc9358ddc6e31214bb527f9f639621df3cb199cdb841bb2b44

SHA512
eecf4c54818e2b91aaacf8b4ed2698c2008fd21935649484bcc53b764ede76cb665a1a556d70c8a4492d3030900b834e558a4f270aa46894058a5608e4c5cb98

Download Submit
C:\Windows\System\uJUclHT.exe

Filesize
5.9MB

MD5
40ffcaedfa3133df280cf2370feff330

SHA1
37f173c96c3fa96dfc0d1508b6a19c87ed4d705f

SHA256
ae029d49b9bff8a3e0251936f20a6b37e175fdcb5ea710a613bfbe2dff69e2da

SHA512
62d86438ad685efe8cf91c50dda32d1ed40f5a54a083148423769df759491a123976cdd3122835a1e01fd0aa7fc2392b3305ea86ed80a167855af614342b6990

Download Submit
C:\Windows\System\uSoLxsp.exe

Filesize
5.9MB

MD5
89d9d62739a28d1a48a851b4fb4b6278

SHA1
731f2a4b185b8791a2dc9e360bf78e40f7b722bf

SHA256
3ed41bbd726e0b3848d9d7033dfc8b26e3f755f7ebdd703f5acf4f313f4cd029

SHA512
010fa21c91d19fbe305133f59a59bc63903eee36eae6f0508a5e2157bc9b4fdd4c0b2c00d5b0468b598598732fda1aff5a76bc90c592ca95c0199afad1076da4

Download Submit
C:\Windows\System\wfUEtYV.exe

Filesize
5.9MB

MD5
27c544916008cc80d1243db759bb1d69

SHA1
92820f5697c6d2009b3371d0ade34e12e8b1b314

SHA256
7a190b0a990c59d154590d89ae042d32188fee0e9023291f07e991b524603239

SHA512
c0ea28e8df4c1a7e1d53aeecc30897c5982fda2a6214de58396c4efd8e4e186c8cc139fa7858bb6648dbad9b69bbf2caebc24c634f2884e891ee96c5749652f9

Download Submit
C:\Windows\System\whCGNuv.exe

Filesize
5.9MB

MD5
35014aaa16bee5939f2736ed87bac28d

SHA1
c3a34f37f0300266ac81c4aeef01dc6a7cc89aa7

SHA256
709c649972e7e9b8af205a9c9c0a1fcec8d8b62dda2e05ec6e5eb554c6c2b2b5

SHA512
194d6216e4ef1edf5ee55d1ac8a376e18b1846644eeefc82a57f101a64b81d411015d5fcff5927f47fb8922d8248a3691df743067dd1b599b281fe8fc33391ec

Download Submit
C:\Windows\System\zfKsDuL.exe

Filesize
5.9MB

MD5
db4c077e916c239ce9dca193e4199a98

SHA1
a5e35cad5331c42da4cf5e999c3bde4e252b5271

SHA256
4ab9a2370922098940282e3ca9506baa599068a7174f88f9d9f9807780984d0b

SHA512
6569aa6f29714aafcf3a2c5828f14a797d44a80d6e7c1f9882d72b4772a457ce7827c04f53fc627493783abc3c913f9af30143dfb4dfbd61f716e5a63c0dba28

Download Submit
C:\Windows\System\zoRbwbc.exe

Filesize
5.9MB

MD5
ee87fc45c276a61d2c0facc0e799679b

SHA1
3abe41608787edee15d7b7104ff4f70e12c644bf

SHA256
c3c184a8a259d6e92d3d04618e0b22e25585cf34f63e5593163e586fc530c6b8

SHA512
ffd436c2e926cfa53aff2511683304bed7ae17f2fcb96ca7e47fb1cd6c8469ab706edaacd24bad012c7576cadc6ccb9be25f70579779f93efe0911302e87f64b

Download Submit
memory/852-130-0x00007FF70F8F0000-0x00007FF70FC44000-memory.dmp

Filesize
3.3MB

Download
memory/852-153-0x00007FF70F8F0000-0x00007FF70FC44000-memory.dmp

Filesize
3.3MB

Download
memory/1064-148-0x00007FF650730000-0x00007FF650A84000-memory.dmp

Filesize
3.3MB

Download
memory/1064-63-0x00007FF650730000-0x00007FF650A84000-memory.dmp

Filesize
3.3MB

Download
memory/1508-137-0x00007FF72CAA0000-0x00007FF72CDF4000-memory.dmp

Filesize
3.3MB

Download
memory/1508-151-0x00007FF72CAA0000-0x00007FF72CDF4000-memory.dmp

Filesize
3.3MB

Download
memory/1508-81-0x00007FF72CAA0000-0x00007FF72CDF4000-memory.dmp

Filesize
3.3MB

Download
memory/1640-145-0x00007FF700D60000-0x00007FF7010B4000-memory.dmp

Filesize
3.3MB

Download
memory/1640-47-0x00007FF700D60000-0x00007FF7010B4000-memory.dmp

Filesize
3.3MB

Download
memory/1940-139-0x00007FF6228C0000-0x00007FF622C14000-memory.dmp

Filesize
3.3MB

Download
memory/1940-6-0x00007FF6228C0000-0x00007FF622C14000-memory.dmp

Filesize
3.3MB

Download
memory/1940-69-0x00007FF6228C0000-0x00007FF622C14000-memory.dmp

Filesize
3.3MB

Download
memory/1944-71-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp

Filesize
3.3MB

Download
memory/1944-135-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp

Filesize
3.3MB

Download
memory/1944-150-0x00007FF6767B0000-0x00007FF676B04000-memory.dmp

Filesize
3.3MB

Download
memory/2488-22-0x00007FF756EB0000-0x00007FF757204000-memory.dmp

Filesize
3.3MB

Download
memory/2488-140-0x00007FF756EB0000-0x00007FF757204000-memory.dmp

Filesize
3.3MB

Download
memory/2512-26-0x00007FF6560F0000-0x00007FF656444000-memory.dmp

Filesize
3.3MB

Download
memory/2512-142-0x00007FF6560F0000-0x00007FF656444000-memory.dmp

Filesize
3.3MB

Download
memory/2940-138-0x00007FF6DB5D0000-0x00007FF6DB924000-memory.dmp

Filesize
3.3MB

Download
memory/2940-91-0x00007FF6DB5D0000-0x00007FF6DB924000-memory.dmp

Filesize
3.3MB

Download
memory/2940-154-0x00007FF6DB5D0000-0x00007FF6DB924000-memory.dmp

Filesize
3.3MB

Download
memory/2996-133-0x00007FF69F7F0000-0x00007FF69FB44000-memory.dmp

Filesize
3.3MB

Download
memory/2996-51-0x00007FF69F7F0000-0x00007FF69FB44000-memory.dmp

Filesize
3.3MB

Download
memory/2996-146-0x00007FF69F7F0000-0x00007FF69FB44000-memory.dmp

Filesize
3.3MB

Download
memory/3448-144-0x00007FF6EE0D0000-0x00007FF6EE424000-memory.dmp

Filesize
3.3MB

Download
memory/3448-37-0x00007FF6EE0D0000-0x00007FF6EE424000-memory.dmp

Filesize
3.3MB

Download
memory/3448-132-0x00007FF6EE0D0000-0x00007FF6EE424000-memory.dmp

Filesize
3.3MB

Download
memory/3528-156-0x00007FF7DD580000-0x00007FF7DD8D4000-memory.dmp

Filesize
3.3MB

Download
memory/3528-128-0x00007FF7DD580000-0x00007FF7DD8D4000-memory.dmp

Filesize
3.3MB

Download
memory/3648-158-0x00007FF6465D0000-0x00007FF646924000-memory.dmp

Filesize
3.3MB

Download
memory/3648-126-0x00007FF6465D0000-0x00007FF646924000-memory.dmp

Filesize
3.3MB

Download
memory/3708-157-0x00007FF621DC0000-0x00007FF622114000-memory.dmp

Filesize
3.3MB

Download
memory/3708-127-0x00007FF621DC0000-0x00007FF622114000-memory.dmp

Filesize
3.3MB

Download
memory/3976-16-0x00007FF7F6500000-0x00007FF7F6854000-memory.dmp

Filesize
3.3MB

Download
memory/3976-141-0x00007FF7F6500000-0x00007FF7F6854000-memory.dmp

Filesize
3.3MB

Download
memory/3976-77-0x00007FF7F6500000-0x00007FF7F6854000-memory.dmp

Filesize
3.3MB

Download
memory/4040-124-0x00007FF686F30000-0x00007FF687284000-memory.dmp

Filesize
3.3MB

Download
memory/4040-152-0x00007FF686F30000-0x00007FF687284000-memory.dmp

Filesize
3.3MB

Download
memory/4068-0-0x00007FF7BF670000-0x00007FF7BF9C4000-memory.dmp

Filesize
3.3MB

Download
memory/4068-62-0x00007FF7BF670000-0x00007FF7BF9C4000-memory.dmp

Filesize
3.3MB

Download
memory/4068-1-0x000001F20F490000-0x000001F20F4A0000-memory.dmp

Filesize
64KB

Download
memory/4204-54-0x00007FF6E83D0000-0x00007FF6E8724000-memory.dmp

Filesize
3.3MB

Download
memory/4204-147-0x00007FF6E83D0000-0x00007FF6E8724000-memory.dmp

Filesize
3.3MB

Download
memory/4204-134-0x00007FF6E83D0000-0x00007FF6E8724000-memory.dmp

Filesize
3.3MB

Download
memory/4284-143-0x00007FF6BDFD0000-0x00007FF6BE324000-memory.dmp

Filesize
3.3MB

Download
memory/4284-31-0x00007FF6BDFD0000-0x00007FF6BE324000-memory.dmp

Filesize
3.3MB

Download
memory/4284-131-0x00007FF6BDFD0000-0x00007FF6BE324000-memory.dmp

Filesize
3.3MB

Download
memory/4376-125-0x00007FF7D1AC0000-0x00007FF7D1E14000-memory.dmp

Filesize
3.3MB

Download
memory/4376-155-0x00007FF7D1AC0000-0x00007FF7D1E14000-memory.dmp

Filesize
3.3MB

Download
memory/4652-129-0x00007FF7681B0000-0x00007FF768504000-memory.dmp

Filesize
3.3MB

Download
memory/4652-159-0x00007FF7681B0000-0x00007FF768504000-memory.dmp

Filesize
3.3MB

Download
memory/4932-149-0x00007FF7F99D0000-0x00007FF7F9D24000-memory.dmp

Filesize
3.3MB

Download
memory/4932-84-0x00007FF7F99D0000-0x00007FF7F9D24000-memory.dmp

Filesize
3.3MB

Download
memory/4932-136-0x00007FF7F99D0000-0x00007FF7F9D24000-memory.dmp

Filesize
3.3MB

Download