cobaltstrike | b75cd532c50dcb60baec52f6cedaca20ac30384a867a56ca5b7c874fd2a11ecc

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

7b58ae31b28cdcf1f61fe13af1dab6e1
SHA1

007bd9060f30cf84c40a88eaf19686021c6dbf2f
SHA256

b75cd532c50dcb60baec52f6cedaca20ac30384a867a56ca5b7c874fd2a11ecc
SHA512

bee8024c707e4c55b1fd440d23c254a33050049632c2f69427e2cf66a171d6880233ab3da080c671815603e3207edb9bf7e22928fe2ff0c9c21202aa30b224e1
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6le:RWWBibf56utgpPFotBER/mQ32lU6

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0006000000023276-5.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233c9-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cd-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ce-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d0-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d5-57.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d8-71.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d9-84.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d7-75.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d6-73.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d4-55.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d3-50.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d2-49.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d1-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233da-92.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233db-99.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233dc-106.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233dd-113.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233de-119.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233df-124.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233e0-128.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023276-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00080000000233c9-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233cd-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233ce-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d0-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d5-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d8-71.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d9-84.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d7-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d6-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d4-55.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d3-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d2-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d1-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233da-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233db-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233dc-106.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233dd-113.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233de-119.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233df-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233e0-128.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/2348-0-0x00007FF760430000-0x00007FF760781000-memory.dmp	UPX
behavioral2/files/0x0006000000023276-5.dat	UPX
behavioral2/memory/2816-6-0x00007FF762560000-0x00007FF7628B1000-memory.dmp	UPX
behavioral2/files/0x00080000000233c9-11.dat	UPX
behavioral2/files/0x00070000000233cd-10.dat	UPX
behavioral2/memory/2264-16-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp	UPX
behavioral2/memory/1052-20-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp	UPX
behavioral2/files/0x00070000000233ce-23.dat	UPX
behavioral2/memory/1260-26-0x00007FF79F640000-0x00007FF79F991000-memory.dmp	UPX
behavioral2/files/0x00070000000233d0-29.dat	UPX
behavioral2/memory/2528-37-0x00007FF6984F0000-0x00007FF698841000-memory.dmp	UPX
behavioral2/memory/4952-42-0x00007FF72C3C0000-0x00007FF72C711000-memory.dmp	UPX
behavioral2/memory/4468-47-0x00007FF656CD0000-0x00007FF657021000-memory.dmp	UPX
behavioral2/memory/3820-52-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp	UPX
behavioral2/files/0x00070000000233d5-57.dat	UPX
behavioral2/files/0x00070000000233d8-71.dat	UPX
behavioral2/memory/464-80-0x00007FF76AD80000-0x00007FF76B0D1000-memory.dmp	UPX
behavioral2/memory/3224-86-0x00007FF64E8D0000-0x00007FF64EC21000-memory.dmp	UPX
behavioral2/memory/1224-89-0x00007FF6100C0000-0x00007FF610411000-memory.dmp	UPX
behavioral2/memory/2264-88-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp	UPX
behavioral2/memory/2816-87-0x00007FF762560000-0x00007FF7628B1000-memory.dmp	UPX
behavioral2/files/0x00070000000233d9-84.dat	UPX
behavioral2/memory/5068-81-0x00007FF716CF0000-0x00007FF717041000-memory.dmp	UPX
behavioral2/memory/2348-76-0x00007FF760430000-0x00007FF760781000-memory.dmp	UPX
behavioral2/files/0x00070000000233d7-75.dat	UPX
behavioral2/files/0x00070000000233d6-73.dat	UPX
behavioral2/memory/2864-62-0x00007FF60A430000-0x00007FF60A781000-memory.dmp	UPX
behavioral2/files/0x00070000000233d4-55.dat	UPX
behavioral2/files/0x00070000000233d3-50.dat	UPX
behavioral2/files/0x00070000000233d2-49.dat	UPX
behavioral2/memory/3860-45-0x00007FF692980000-0x00007FF692CD1000-memory.dmp	UPX
behavioral2/files/0x00070000000233d1-35.dat	UPX
behavioral2/files/0x00070000000233da-92.dat	UPX
behavioral2/memory/816-95-0x00007FF7D2AD0000-0x00007FF7D2E21000-memory.dmp	UPX
behavioral2/memory/1052-100-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp	UPX
behavioral2/files/0x00070000000233db-99.dat	UPX
behavioral2/files/0x00070000000233dc-106.dat	UPX
behavioral2/memory/1260-108-0x00007FF79F640000-0x00007FF79F991000-memory.dmp	UPX
behavioral2/memory/3620-111-0x00007FF65DBE0000-0x00007FF65DF31000-memory.dmp	UPX
behavioral2/files/0x00070000000233dd-113.dat	UPX
behavioral2/memory/4584-104-0x00007FF707FB0000-0x00007FF708301000-memory.dmp	UPX
behavioral2/memory/4512-116-0x00007FF767F40000-0x00007FF768291000-memory.dmp	UPX
behavioral2/files/0x00070000000233de-119.dat	UPX
behavioral2/files/0x00070000000233df-124.dat	UPX
behavioral2/files/0x00070000000233e0-128.dat	UPX
behavioral2/memory/4468-129-0x00007FF656CD0000-0x00007FF657021000-memory.dmp	UPX
behavioral2/memory/2384-137-0x00007FF653DB0000-0x00007FF654101000-memory.dmp	UPX
behavioral2/memory/1996-133-0x00007FF64C800000-0x00007FF64CB51000-memory.dmp	UPX
behavioral2/memory/1276-139-0x00007FF646C00000-0x00007FF646F51000-memory.dmp	UPX
behavioral2/memory/3860-138-0x00007FF692980000-0x00007FF692CD1000-memory.dmp	UPX
behavioral2/memory/2864-145-0x00007FF60A430000-0x00007FF60A781000-memory.dmp	UPX
behavioral2/memory/3820-144-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp	UPX
behavioral2/memory/5068-148-0x00007FF716CF0000-0x00007FF717041000-memory.dmp	UPX
behavioral2/memory/2348-151-0x00007FF760430000-0x00007FF760781000-memory.dmp	UPX
behavioral2/memory/4584-152-0x00007FF707FB0000-0x00007FF708301000-memory.dmp	UPX
behavioral2/memory/2816-200-0x00007FF762560000-0x00007FF7628B1000-memory.dmp	UPX
behavioral2/memory/2264-208-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp	UPX
behavioral2/memory/1052-210-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp	UPX
behavioral2/memory/1260-212-0x00007FF79F640000-0x00007FF79F991000-memory.dmp	UPX
behavioral2/memory/2528-214-0x00007FF6984F0000-0x00007FF698841000-memory.dmp	UPX
behavioral2/memory/4952-216-0x00007FF72C3C0000-0x00007FF72C711000-memory.dmp	UPX
behavioral2/memory/4468-218-0x00007FF656CD0000-0x00007FF657021000-memory.dmp	UPX
behavioral2/memory/3860-220-0x00007FF692980000-0x00007FF692CD1000-memory.dmp	UPX
behavioral2/memory/3820-222-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp	UPX

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/2264-16-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp	xmrig
behavioral2/memory/1260-26-0x00007FF79F640000-0x00007FF79F991000-memory.dmp	xmrig
behavioral2/memory/2528-37-0x00007FF6984F0000-0x00007FF698841000-memory.dmp	xmrig
behavioral2/memory/4952-42-0x00007FF72C3C0000-0x00007FF72C711000-memory.dmp	xmrig
behavioral2/memory/464-80-0x00007FF76AD80000-0x00007FF76B0D1000-memory.dmp	xmrig
behavioral2/memory/3224-86-0x00007FF64E8D0000-0x00007FF64EC21000-memory.dmp	xmrig
behavioral2/memory/1224-89-0x00007FF6100C0000-0x00007FF610411000-memory.dmp	xmrig
behavioral2/memory/2264-88-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp	xmrig
behavioral2/memory/2816-87-0x00007FF762560000-0x00007FF7628B1000-memory.dmp	xmrig
behavioral2/memory/2348-76-0x00007FF760430000-0x00007FF760781000-memory.dmp	xmrig
behavioral2/memory/816-95-0x00007FF7D2AD0000-0x00007FF7D2E21000-memory.dmp	xmrig
behavioral2/memory/1052-100-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp	xmrig
behavioral2/memory/1260-108-0x00007FF79F640000-0x00007FF79F991000-memory.dmp	xmrig
behavioral2/memory/3620-111-0x00007FF65DBE0000-0x00007FF65DF31000-memory.dmp	xmrig
behavioral2/memory/4584-104-0x00007FF707FB0000-0x00007FF708301000-memory.dmp	xmrig
behavioral2/memory/4512-116-0x00007FF767F40000-0x00007FF768291000-memory.dmp	xmrig
behavioral2/memory/4468-129-0x00007FF656CD0000-0x00007FF657021000-memory.dmp	xmrig
behavioral2/memory/2384-137-0x00007FF653DB0000-0x00007FF654101000-memory.dmp	xmrig
behavioral2/memory/1996-133-0x00007FF64C800000-0x00007FF64CB51000-memory.dmp	xmrig
behavioral2/memory/1276-139-0x00007FF646C00000-0x00007FF646F51000-memory.dmp	xmrig
behavioral2/memory/3860-138-0x00007FF692980000-0x00007FF692CD1000-memory.dmp	xmrig
behavioral2/memory/2864-145-0x00007FF60A430000-0x00007FF60A781000-memory.dmp	xmrig
behavioral2/memory/3820-144-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp	xmrig
behavioral2/memory/5068-148-0x00007FF716CF0000-0x00007FF717041000-memory.dmp	xmrig
behavioral2/memory/2348-151-0x00007FF760430000-0x00007FF760781000-memory.dmp	xmrig
behavioral2/memory/4584-152-0x00007FF707FB0000-0x00007FF708301000-memory.dmp	xmrig
behavioral2/memory/2816-200-0x00007FF762560000-0x00007FF7628B1000-memory.dmp	xmrig
behavioral2/memory/2264-208-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp	xmrig
behavioral2/memory/1052-210-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp	xmrig
behavioral2/memory/1260-212-0x00007FF79F640000-0x00007FF79F991000-memory.dmp	xmrig
behavioral2/memory/2528-214-0x00007FF6984F0000-0x00007FF698841000-memory.dmp	xmrig
behavioral2/memory/4952-216-0x00007FF72C3C0000-0x00007FF72C711000-memory.dmp	xmrig
behavioral2/memory/4468-218-0x00007FF656CD0000-0x00007FF657021000-memory.dmp	xmrig
behavioral2/memory/3860-220-0x00007FF692980000-0x00007FF692CD1000-memory.dmp	xmrig
behavioral2/memory/3820-222-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp	xmrig
behavioral2/memory/2864-224-0x00007FF60A430000-0x00007FF60A781000-memory.dmp	xmrig
behavioral2/memory/464-228-0x00007FF76AD80000-0x00007FF76B0D1000-memory.dmp	xmrig
behavioral2/memory/3224-227-0x00007FF64E8D0000-0x00007FF64EC21000-memory.dmp	xmrig
behavioral2/memory/5068-232-0x00007FF716CF0000-0x00007FF717041000-memory.dmp	xmrig
behavioral2/memory/1224-231-0x00007FF6100C0000-0x00007FF610411000-memory.dmp	xmrig
behavioral2/memory/816-235-0x00007FF7D2AD0000-0x00007FF7D2E21000-memory.dmp	xmrig
behavioral2/memory/4584-237-0x00007FF707FB0000-0x00007FF708301000-memory.dmp	xmrig
behavioral2/memory/3620-239-0x00007FF65DBE0000-0x00007FF65DF31000-memory.dmp	xmrig
behavioral2/memory/4512-241-0x00007FF767F40000-0x00007FF768291000-memory.dmp	xmrig
behavioral2/memory/2384-244-0x00007FF653DB0000-0x00007FF654101000-memory.dmp	xmrig
behavioral2/memory/1276-247-0x00007FF646C00000-0x00007FF646F51000-memory.dmp	xmrig
behavioral2/memory/1996-248-0x00007FF64C800000-0x00007FF64CB51000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2816	ShkJORX.exe
2264	STompFf.exe
1052	NTWMHnO.exe
1260	avmEILp.exe
2528	kPdruSp.exe
4952	dZNbGap.exe
3860	ojGRNOP.exe
4468	JeUjfQr.exe
3820	tFbUsdU.exe
2864	dFtPGNK.exe
464	tewTPUj.exe
3224	ZBeQdrT.exe
5068	qkpJCoa.exe
1224	iOpJMjz.exe
816	wXrqBgc.exe
4584	fOIUPzJ.exe
3620	wisnVwH.exe
4512	lgdPyzZ.exe
1996	nThjuiR.exe
2384	mQFgAfj.exe
1276	JDLGERE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2348-0-0x00007FF760430000-0x00007FF760781000-memory.dmp	upx
behavioral2/files/0x0006000000023276-5.dat	upx
behavioral2/memory/2816-6-0x00007FF762560000-0x00007FF7628B1000-memory.dmp	upx
behavioral2/files/0x00080000000233c9-11.dat	upx
behavioral2/files/0x00070000000233cd-10.dat	upx
behavioral2/memory/2264-16-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp	upx
behavioral2/memory/1052-20-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp	upx
behavioral2/files/0x00070000000233ce-23.dat	upx
behavioral2/memory/1260-26-0x00007FF79F640000-0x00007FF79F991000-memory.dmp	upx
behavioral2/files/0x00070000000233d0-29.dat	upx
behavioral2/memory/2528-37-0x00007FF6984F0000-0x00007FF698841000-memory.dmp	upx
behavioral2/memory/4952-42-0x00007FF72C3C0000-0x00007FF72C711000-memory.dmp	upx
behavioral2/memory/4468-47-0x00007FF656CD0000-0x00007FF657021000-memory.dmp	upx
behavioral2/memory/3820-52-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp	upx
behavioral2/files/0x00070000000233d5-57.dat	upx
behavioral2/files/0x00070000000233d8-71.dat	upx
behavioral2/memory/464-80-0x00007FF76AD80000-0x00007FF76B0D1000-memory.dmp	upx
behavioral2/memory/3224-86-0x00007FF64E8D0000-0x00007FF64EC21000-memory.dmp	upx
behavioral2/memory/1224-89-0x00007FF6100C0000-0x00007FF610411000-memory.dmp	upx
behavioral2/memory/2264-88-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp	upx
behavioral2/memory/2816-87-0x00007FF762560000-0x00007FF7628B1000-memory.dmp	upx
behavioral2/files/0x00070000000233d9-84.dat	upx
behavioral2/memory/5068-81-0x00007FF716CF0000-0x00007FF717041000-memory.dmp	upx
behavioral2/memory/2348-76-0x00007FF760430000-0x00007FF760781000-memory.dmp	upx
behavioral2/files/0x00070000000233d7-75.dat	upx
behavioral2/files/0x00070000000233d6-73.dat	upx
behavioral2/memory/2864-62-0x00007FF60A430000-0x00007FF60A781000-memory.dmp	upx
behavioral2/files/0x00070000000233d4-55.dat	upx
behavioral2/files/0x00070000000233d3-50.dat	upx
behavioral2/files/0x00070000000233d2-49.dat	upx
behavioral2/memory/3860-45-0x00007FF692980000-0x00007FF692CD1000-memory.dmp	upx
behavioral2/files/0x00070000000233d1-35.dat	upx
behavioral2/files/0x00070000000233da-92.dat	upx
behavioral2/memory/816-95-0x00007FF7D2AD0000-0x00007FF7D2E21000-memory.dmp	upx
behavioral2/memory/1052-100-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp	upx
behavioral2/files/0x00070000000233db-99.dat	upx
behavioral2/files/0x00070000000233dc-106.dat	upx
behavioral2/memory/1260-108-0x00007FF79F640000-0x00007FF79F991000-memory.dmp	upx
behavioral2/memory/3620-111-0x00007FF65DBE0000-0x00007FF65DF31000-memory.dmp	upx
behavioral2/files/0x00070000000233dd-113.dat	upx
behavioral2/memory/4584-104-0x00007FF707FB0000-0x00007FF708301000-memory.dmp	upx
behavioral2/memory/4512-116-0x00007FF767F40000-0x00007FF768291000-memory.dmp	upx
behavioral2/files/0x00070000000233de-119.dat	upx
behavioral2/files/0x00070000000233df-124.dat	upx
behavioral2/files/0x00070000000233e0-128.dat	upx
behavioral2/memory/4468-129-0x00007FF656CD0000-0x00007FF657021000-memory.dmp	upx
behavioral2/memory/2384-137-0x00007FF653DB0000-0x00007FF654101000-memory.dmp	upx
behavioral2/memory/1996-133-0x00007FF64C800000-0x00007FF64CB51000-memory.dmp	upx
behavioral2/memory/1276-139-0x00007FF646C00000-0x00007FF646F51000-memory.dmp	upx
behavioral2/memory/3860-138-0x00007FF692980000-0x00007FF692CD1000-memory.dmp	upx
behavioral2/memory/2864-145-0x00007FF60A430000-0x00007FF60A781000-memory.dmp	upx
behavioral2/memory/3820-144-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp	upx
behavioral2/memory/5068-148-0x00007FF716CF0000-0x00007FF717041000-memory.dmp	upx
behavioral2/memory/2348-151-0x00007FF760430000-0x00007FF760781000-memory.dmp	upx
behavioral2/memory/4584-152-0x00007FF707FB0000-0x00007FF708301000-memory.dmp	upx
behavioral2/memory/2816-200-0x00007FF762560000-0x00007FF7628B1000-memory.dmp	upx
behavioral2/memory/2264-208-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp	upx
behavioral2/memory/1052-210-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp	upx
behavioral2/memory/1260-212-0x00007FF79F640000-0x00007FF79F991000-memory.dmp	upx
behavioral2/memory/2528-214-0x00007FF6984F0000-0x00007FF698841000-memory.dmp	upx
behavioral2/memory/4952-216-0x00007FF72C3C0000-0x00007FF72C711000-memory.dmp	upx
behavioral2/memory/4468-218-0x00007FF656CD0000-0x00007FF657021000-memory.dmp	upx
behavioral2/memory/3860-220-0x00007FF692980000-0x00007FF692CD1000-memory.dmp	upx
behavioral2/memory/3820-222-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\STompFf.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ojGRNOP.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nThjuiR.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mQFgAfj.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kPdruSp.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dZNbGap.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JeUjfQr.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tFbUsdU.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tewTPUj.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wXrqBgc.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fOIUPzJ.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dFtPGNK.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qkpJCoa.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iOpJMjz.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wisnVwH.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JDLGERE.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ShkJORX.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NTWMHnO.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\avmEILp.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZBeQdrT.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lgdPyzZ.exe	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2816	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	83
PID 2348 wrote to memory of 2816	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	83
PID 2348 wrote to memory of 2264	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	84
PID 2348 wrote to memory of 2264	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	84
PID 2348 wrote to memory of 1052	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	85
PID 2348 wrote to memory of 1052	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	85
PID 2348 wrote to memory of 1260	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	86
PID 2348 wrote to memory of 1260	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	86
PID 2348 wrote to memory of 2528	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	87
PID 2348 wrote to memory of 2528	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	87
PID 2348 wrote to memory of 4952	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	89
PID 2348 wrote to memory of 4952	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	89
PID 2348 wrote to memory of 3860	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	90
PID 2348 wrote to memory of 3860	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	90
PID 2348 wrote to memory of 4468	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	91
PID 2348 wrote to memory of 4468	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	91
PID 2348 wrote to memory of 3820	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	92
PID 2348 wrote to memory of 3820	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	92
PID 2348 wrote to memory of 2864	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	93
PID 2348 wrote to memory of 2864	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	93
PID 2348 wrote to memory of 464	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	94
PID 2348 wrote to memory of 464	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	94
PID 2348 wrote to memory of 3224	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	95
PID 2348 wrote to memory of 3224	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	95
PID 2348 wrote to memory of 5068	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	96
PID 2348 wrote to memory of 5068	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	96
PID 2348 wrote to memory of 1224	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	97
PID 2348 wrote to memory of 1224	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	97
PID 2348 wrote to memory of 816	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	98
PID 2348 wrote to memory of 816	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	98
PID 2348 wrote to memory of 4584	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	100
PID 2348 wrote to memory of 4584	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	100
PID 2348 wrote to memory of 3620	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	101
PID 2348 wrote to memory of 3620	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	101
PID 2348 wrote to memory of 4512	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	102
PID 2348 wrote to memory of 4512	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	102
PID 2348 wrote to memory of 1996	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	103
PID 2348 wrote to memory of 1996	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	103
PID 2348 wrote to memory of 2384	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	105
PID 2348 wrote to memory of 2384	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	105
PID 2348 wrote to memory of 1276	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	106
PID 2348 wrote to memory of 1276	2348	2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_7b58ae31b28cdcf1f61fe13af1dab6e1_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\System\ShkJORX.exe
  C:\Windows\System\ShkJORX.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\STompFf.exe
  C:\Windows\System\STompFf.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\NTWMHnO.exe
  C:\Windows\System\NTWMHnO.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\avmEILp.exe
  C:\Windows\System\avmEILp.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System\kPdruSp.exe
  C:\Windows\System\kPdruSp.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\dZNbGap.exe
  C:\Windows\System\dZNbGap.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\ojGRNOP.exe
  C:\Windows\System\ojGRNOP.exe
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\System\JeUjfQr.exe
  C:\Windows\System\JeUjfQr.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\tFbUsdU.exe
  C:\Windows\System\tFbUsdU.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System\dFtPGNK.exe
  C:\Windows\System\dFtPGNK.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\tewTPUj.exe
  C:\Windows\System\tewTPUj.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\ZBeQdrT.exe
  C:\Windows\System\ZBeQdrT.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System\qkpJCoa.exe
  C:\Windows\System\qkpJCoa.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\iOpJMjz.exe
  C:\Windows\System\iOpJMjz.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\wXrqBgc.exe
  C:\Windows\System\wXrqBgc.exe
  2⤵
  - Executes dropped EXE
  PID:816
- C:\Windows\System\fOIUPzJ.exe
  C:\Windows\System\fOIUPzJ.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\wisnVwH.exe
  C:\Windows\System\wisnVwH.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\lgdPyzZ.exe
  C:\Windows\System\lgdPyzZ.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\nThjuiR.exe
  C:\Windows\System\nThjuiR.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\mQFgAfj.exe
  C:\Windows\System\mQFgAfj.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\JDLGERE.exe
  C:\Windows\System\JDLGERE.exe
  2⤵
  - Executes dropped EXE
  PID:1276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\JDLGERE.exe

Filesize
5.2MB

MD5
e5fbd52da7ecb2111908c3d9537d4471

SHA1
ec7381a20fa6380d5cb8229fbcdc0f4933655473

SHA256
de583db6a9ae0183526ff5993feff6ca87cbf01201b4a791b396a3505ade1d84

SHA512
f5bea2543635e05956321ff1a8be1501b9191e290de467970005e29e0b6c038fd2b92f385d90e5159ac0940c3888290da41e86a4e2ba336023dc3931a8e0ec12

Download Submit
C:\Windows\System\JeUjfQr.exe

Filesize
5.2MB

MD5
bdbf24eb091efb2a04a3a00f6643daf9

SHA1
a6cee34328a6f788e2408a5e7c270f14260a01a9

SHA256
350c267ea4d59d3333c4078ae377cda5249fa8e6fd9059346929b65287bbbe1d

SHA512
714591e586f640be1758b40353f398cb833a9d2d5bebf6105116a1e906e12057531a24c9e81f9cc73963b8c8e1f3b3d0197b1ce3ac92dd8b633e0a6aa06acc35

Download Submit
C:\Windows\System\NTWMHnO.exe

Filesize
5.2MB

MD5
078ae1879b58d400f5b7b25b40441a2c

SHA1
80a50fdb8f32d39f1e1d54593d74966f2f534618

SHA256
2e66d88c7fe780177d58874599e726cf7f0be7dd51aebbf7efd44be8555149d1

SHA512
2b9272f3b1504bbe0f5052be9a9f19278836412b8cf2062105d5413e443d80c1a323d196514455d17207c754c103ef0fe7cc8a5fee9558d2f699f1a6fbb82b64

Download Submit
C:\Windows\System\STompFf.exe

Filesize
5.2MB

MD5
e3f55f1b5a040896d8356725bb333d71

SHA1
a57cce631893d0e25267402869808645051c7547

SHA256
1b1eeedb59f0fc58a2afea9b299e6b79716544ea21c80726ce5a18ecb1148946

SHA512
aa8fbded958d0288779d06feffce64adab1a23ef07b8d5e080c989405ae43dd5aff791049d4263497d761f2ed94a37104dfc758a0db40ba6e1e93bc28871fb2d

Download Submit
C:\Windows\System\ShkJORX.exe

Filesize
5.2MB

MD5
3b1d2cd30ddf48ffda3009fe874393f0

SHA1
cbc1822e93c025f143d0698bd6903dd152a767db

SHA256
281b5a7f0260a1ddc5deb79bb13d191a7cd1a2cb299cdae1165b59ebe097c8a6

SHA512
e166b1667b7eda187fdfba73bd221c17457a27968a97b5e074aa3e45cf5d2317195f81e45a6dc51ce4a1cba40906c2939d1be682f82e4c4317dc527b5b9e7c88

Download Submit
C:\Windows\System\ZBeQdrT.exe

Filesize
5.2MB

MD5
0785fea7dd66dec2130c2ec5a7ca1f70

SHA1
3b3ef960d136b16d624fbc4d73e2fc6ba4169ab1

SHA256
1b537091e861936bcb7bd6f723b9509811900cdbc6a4546f1af544e30197fea3

SHA512
01359c53bf6f0e1e69197d10b39aa9051f5957144b56ec99036b5e788e14a35df85e192886ef9874cc2c55686ccb50d67695131ee4fc1b8e0bcaf168eba8d49e

Download Submit
C:\Windows\System\avmEILp.exe

Filesize
5.2MB

MD5
cf1479e784ee45ba0954cac5c2b8ab25

SHA1
a51c6c267321c22b6aa29b0ef859eeb6ac27822d

SHA256
c28fa468cbc09569715bdc1b01f66899ce9acf7247af6c627b6a054f1384a287

SHA512
b09e8ea21aebaa62214fae348ba74d1ed97ece6e31f4a1396a443f1b18d5b15bd3fc3a18475f4d261823e654e000f5c260fb9fffd0a7e656e57f3ace08a9345d

Download Submit
C:\Windows\System\dFtPGNK.exe

Filesize
5.2MB

MD5
834fd0f948e3730cb7fc46a4c7170c7a

SHA1
82de6056c70a00c5c552509256fab052c27de379

SHA256
9a1c3dfcacb8a87992e592c3b78692f707a9ecb86e6fedee8fed940b655146f7

SHA512
dc7306f4a03db0450da9261e567ec10bef1468ee125eeaa43f351e64c87bc536f4723733481170e6343642d4fe6119a75ba214b7cc831617a096d364bf5d9ef3

Download Submit
C:\Windows\System\dZNbGap.exe

Filesize
5.2MB

MD5
ad650abef55b7591aba7c5b5aae11b59

SHA1
33b4af0959a777b6bf424777d40fe56552ae6025

SHA256
f1d8fdf4777bd6fa06834b7e5733dc3feee8c2d94425fc4633506fca426aafb7

SHA512
cb38586e3d4738399fa79b1ecbbcd7da9f23af466561cebf04ff9fce539648f190feb2b6804f49dc588e89728cde87eeacbb9ff54a7d04b639578742ae51cf9c

Download Submit
C:\Windows\System\fOIUPzJ.exe

Filesize
5.2MB

MD5
1483ef5dec1fa44cbda3ff2566120b70

SHA1
f4b0622254c0a89a6b8113ef67eeb5de9d8dd65d

SHA256
d3a39f3566a88d95217c62fc67c5f6424a28ec7c781b6a40dca983f0920f62c4

SHA512
820206ab20bdabe193cf513b34695a95650f8ebf9c3c2e34f569d67e1a8c9f9d1243b324068246b1015256274c0a74bceffda3829d2b320655b361e9eb49b8b3

Download Submit
C:\Windows\System\iOpJMjz.exe

Filesize
5.2MB

MD5
54f49817441783f43999cd59e302148c

SHA1
fb724210f7b8e1a6484cd18adf3bbd2fa8c3c78f

SHA256
27514bd162d31aa80bde7d30cd90b11621d1e01e075f53a3dd9b8433b0b7e167

SHA512
e1c34eafd2a3335725ecdf5acb4d622c1d0bbaef74fed794ed2ce98a64387afef7451a4880564fa270680d51307f7456a185ee50c8f9162ab86fb8a1798082df

Download Submit
C:\Windows\System\kPdruSp.exe

Filesize
5.2MB

MD5
55cf3231dea085eb0443e000a26fe44b

SHA1
00dc401f5dcafcbe9c962f9ce99db431dd183d69

SHA256
c37c7bb34d4aab390c2887ca80251a349d0a6e3d52d3bb34dbd8b711405988d6

SHA512
8e56e51442175e9c6d329c5951b0fd21a40e51076211ebd249cfbf07ea92ca8164e9333d523ae0d5fc15d79eb535cc038e1b18676a6fe679c31fc19eb9b4dff9

Download Submit
C:\Windows\System\lgdPyzZ.exe

Filesize
5.2MB

MD5
1c2eab634874e0a1b0dcd5a19cd0f87c

SHA1
9bbc2c227f64f953fa97ef1cdc342c04fd39ae87

SHA256
33a398f9ce8f6d6589c3fa79d4c8d29d620481111b54fb109abed7ac8288b6da

SHA512
14fb0537a534a9a7c354f44c577291a35459b04ceb7c85b4f0476a4db12930e043964b808eeb69c8497ac7cba60b5002c232935583dcf7dc67e14838a9586dcb

Download Submit
C:\Windows\System\mQFgAfj.exe

Filesize
5.2MB

MD5
8759b45b815fb788ea0cbae73170753a

SHA1
a80ba893ac161653a5bb4444d92b02d702796fa7

SHA256
9c6c6894bccb7001aa471c1e5e7c55cc64c6e6e797344a1a4d21b791de170df4

SHA512
66883932767816a6fad72d8667f66224abfad2d44f872c56e3e3c6325d60c3dc15488b26ecee0f5a33a0cbb39025e9e1c92edcaead2f9c3c7ef0c3bb9c711d0b

Download Submit
C:\Windows\System\nThjuiR.exe

Filesize
5.2MB

MD5
a95f23ebad58c58de7809a72cacc34b1

SHA1
ce55b4ae53d5a26199586533036be7ca5679b825

SHA256
8a3ba6e694b07ba109e5ad8fa6849b19bbfb250d063575ac1792f92fb21d0ce4

SHA512
318d1356b2b0963578e2bd15bd3b3557ed04edb11bf57a92d0b07b617211d2736ff50f3edc936a90afc96433d894deef14a8dbc06d7b2a8aaaf160497404a0a0

Download Submit
C:\Windows\System\ojGRNOP.exe

Filesize
5.2MB

MD5
9b72fb1ad6709dafcc2bc107cbaa0987

SHA1
8e282ebe529ba4d3f8926023af17155952461765

SHA256
8888a1198d48f83bf813f8a11613e2ed25748b4ebb60e0210cac7c672ad5649e

SHA512
a616ea5e99d9ec8ee00a1af083f493d3f928ddbaf924ad8cb2d8761832eecaf5675cb06b3310151349b442e51ef114d876a84e02c3fa85c88c3dd81eaf171955

Download Submit
C:\Windows\System\qkpJCoa.exe

Filesize
5.2MB

MD5
9ea4418f412d7e1420ee0708f2693478

SHA1
6f7c4a094350df13446394182c9af9a74a1342ed

SHA256
dcd04d07fa73a3a2379e2356fc1d2d8448b981dffec2403dba6d01d3d7f4456a

SHA512
0b08e600349d616f77e601fb68625ad4ff282c9d4c7d0f681e5ba1354b972a2d762e62dffbcaa3b85596cbc503cdef5f91895e82df73f79df93f30c24a561129

Download Submit
C:\Windows\System\tFbUsdU.exe

Filesize
5.2MB

MD5
843baa6df3ccf6ad8019d388cec46e36

SHA1
57eba8f672fe7ed5ab804518009cf5f09dda5cd2

SHA256
fafeabc6f900ce05205e737d86bdfc2d8f8009e1880d4a10e9f77eda7091d04e

SHA512
7f99aaf746f6129ac3bd853bcabadf6e27576a5eb8f51d60f7ea3f95b44e480465ef3c89762078a17e944fd1c03b9c26d4819ad05f64ffdc5bfb574cdd18e315

Download Submit
C:\Windows\System\tewTPUj.exe

Filesize
5.2MB

MD5
8231afc5a3207995276d2ea432a743e3

SHA1
55cbb303c874a357f4539b09fedb24ee02d308b4

SHA256
878b624bad8f5ec4b2d3b4fc9bb1fa974a0569971f1d2559b11a40c5e353111c

SHA512
d7e8311cbb037c187444cda1797b78c9747d251ad1497e3cda32d16c945517161e699ef8b6adbea82c934dca3b23577a69459583141faadf78a5ecbe940f7ea6

Download Submit
C:\Windows\System\wXrqBgc.exe

Filesize
5.2MB

MD5
07c88d1c9ca4b2a5135a74881fa47223

SHA1
c62b183b5bae662d3e8d8ee2840785e1e2c19ede

SHA256
5fe18ae6e3937cf6cf5556c3467991147b76ba0988612495b652b81f6aadd96c

SHA512
2bf4ca4f42f4ba84906900a05b5011c8684668989785ffd78a5f27083230e9fc30023e09f8eb58086be0e8f4d8061507eec40b8d4426adcc2806568294904422

Download Submit
C:\Windows\System\wisnVwH.exe

Filesize
5.2MB

MD5
b79b91abe32d09a789e21c2721cc4963

SHA1
33d839f41bfe3748df6f5bd3870d0eb015e16777

SHA256
fc355971d7a57721494120a5a7c1d72d2ff1e5ec24f31280fbc624de59f10116

SHA512
437b0a00c427879421e5992dfbc936e7ffa82debe1db45e9aab649e51da495075b64148fee65efe4de503fb8b03e4a2ad6ec1e3af315f7e3296a51a8e9036102

Download Submit
memory/464-228-0x00007FF76AD80000-0x00007FF76B0D1000-memory.dmp

Filesize
3.3MB

Download
memory/464-80-0x00007FF76AD80000-0x00007FF76B0D1000-memory.dmp

Filesize
3.3MB

Download
memory/816-95-0x00007FF7D2AD0000-0x00007FF7D2E21000-memory.dmp

Filesize
3.3MB

Download
memory/816-235-0x00007FF7D2AD0000-0x00007FF7D2E21000-memory.dmp

Filesize
3.3MB

Download
memory/1052-20-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp

Filesize
3.3MB

Download
memory/1052-210-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp

Filesize
3.3MB

Download
memory/1052-100-0x00007FF659D70000-0x00007FF65A0C1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-89-0x00007FF6100C0000-0x00007FF610411000-memory.dmp

Filesize
3.3MB

Download
memory/1224-231-0x00007FF6100C0000-0x00007FF610411000-memory.dmp

Filesize
3.3MB

Download
memory/1260-26-0x00007FF79F640000-0x00007FF79F991000-memory.dmp

Filesize
3.3MB

Download
memory/1260-108-0x00007FF79F640000-0x00007FF79F991000-memory.dmp

Filesize
3.3MB

Download
memory/1260-212-0x00007FF79F640000-0x00007FF79F991000-memory.dmp

Filesize
3.3MB

Download
memory/1276-139-0x00007FF646C00000-0x00007FF646F51000-memory.dmp

Filesize
3.3MB

Download
memory/1276-247-0x00007FF646C00000-0x00007FF646F51000-memory.dmp

Filesize
3.3MB

Download
memory/1996-133-0x00007FF64C800000-0x00007FF64CB51000-memory.dmp

Filesize
3.3MB

Download
memory/1996-248-0x00007FF64C800000-0x00007FF64CB51000-memory.dmp

Filesize
3.3MB

Download
memory/2264-88-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp

Filesize
3.3MB

Download
memory/2264-16-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp

Filesize
3.3MB

Download
memory/2264-208-0x00007FF6AFA10000-0x00007FF6AFD61000-memory.dmp

Filesize
3.3MB

Download
memory/2348-0-0x00007FF760430000-0x00007FF760781000-memory.dmp

Filesize
3.3MB

Download
memory/2348-1-0x0000021843D50000-0x0000021843D60000-memory.dmp

Filesize
64KB

Download
memory/2348-76-0x00007FF760430000-0x00007FF760781000-memory.dmp

Filesize
3.3MB

Download
memory/2348-151-0x00007FF760430000-0x00007FF760781000-memory.dmp

Filesize
3.3MB

Download
memory/2384-244-0x00007FF653DB0000-0x00007FF654101000-memory.dmp

Filesize
3.3MB

Download
memory/2384-137-0x00007FF653DB0000-0x00007FF654101000-memory.dmp

Filesize
3.3MB

Download
memory/2528-37-0x00007FF6984F0000-0x00007FF698841000-memory.dmp

Filesize
3.3MB

Download
memory/2528-214-0x00007FF6984F0000-0x00007FF698841000-memory.dmp

Filesize
3.3MB

Download
memory/2816-200-0x00007FF762560000-0x00007FF7628B1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-6-0x00007FF762560000-0x00007FF7628B1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-87-0x00007FF762560000-0x00007FF7628B1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-145-0x00007FF60A430000-0x00007FF60A781000-memory.dmp

Filesize
3.3MB

Download
memory/2864-62-0x00007FF60A430000-0x00007FF60A781000-memory.dmp

Filesize
3.3MB

Download
memory/2864-224-0x00007FF60A430000-0x00007FF60A781000-memory.dmp

Filesize
3.3MB

Download
memory/3224-86-0x00007FF64E8D0000-0x00007FF64EC21000-memory.dmp

Filesize
3.3MB

Download
memory/3224-227-0x00007FF64E8D0000-0x00007FF64EC21000-memory.dmp

Filesize
3.3MB

Download
memory/3620-111-0x00007FF65DBE0000-0x00007FF65DF31000-memory.dmp

Filesize
3.3MB

Download
memory/3620-239-0x00007FF65DBE0000-0x00007FF65DF31000-memory.dmp

Filesize
3.3MB

Download
memory/3820-144-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp

Filesize
3.3MB

Download
memory/3820-52-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp

Filesize
3.3MB

Download
memory/3820-222-0x00007FF7297E0000-0x00007FF729B31000-memory.dmp

Filesize
3.3MB

Download
memory/3860-220-0x00007FF692980000-0x00007FF692CD1000-memory.dmp

Filesize
3.3MB

Download
memory/3860-138-0x00007FF692980000-0x00007FF692CD1000-memory.dmp

Filesize
3.3MB

Download
memory/3860-45-0x00007FF692980000-0x00007FF692CD1000-memory.dmp

Filesize
3.3MB

Download
memory/4468-129-0x00007FF656CD0000-0x00007FF657021000-memory.dmp

Filesize
3.3MB

Download
memory/4468-47-0x00007FF656CD0000-0x00007FF657021000-memory.dmp

Filesize
3.3MB

Download
memory/4468-218-0x00007FF656CD0000-0x00007FF657021000-memory.dmp

Filesize
3.3MB

Download
memory/4512-116-0x00007FF767F40000-0x00007FF768291000-memory.dmp

Filesize
3.3MB

Download
memory/4512-241-0x00007FF767F40000-0x00007FF768291000-memory.dmp

Filesize
3.3MB

Download
memory/4584-237-0x00007FF707FB0000-0x00007FF708301000-memory.dmp

Filesize
3.3MB

Download
memory/4584-104-0x00007FF707FB0000-0x00007FF708301000-memory.dmp

Filesize
3.3MB

Download
memory/4584-152-0x00007FF707FB0000-0x00007FF708301000-memory.dmp

Filesize
3.3MB

Download
memory/4952-42-0x00007FF72C3C0000-0x00007FF72C711000-memory.dmp

Filesize
3.3MB

Download
memory/4952-216-0x00007FF72C3C0000-0x00007FF72C711000-memory.dmp

Filesize
3.3MB

Download
memory/5068-232-0x00007FF716CF0000-0x00007FF717041000-memory.dmp

Filesize
3.3MB

Download
memory/5068-81-0x00007FF716CF0000-0x00007FF717041000-memory.dmp

Filesize
3.3MB

Download
memory/5068-148-0x00007FF716CF0000-0x00007FF717041000-memory.dmp

Filesize
3.3MB

Download