cobaltstrike | fc240af07e73a4f1ebe9b5beaf1f820e8ed23bf75e3be627eb6c1313bea1815d

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

065763a67479bb661c6a95ea07408955
SHA1

6053c74c6390cce0eb9baf3828eeaaf8184e80a4
SHA256

fc240af07e73a4f1ebe9b5beaf1f820e8ed23bf75e3be627eb6c1313bea1815d
SHA512

f08138d885a896e44b6cb8cb20e3691bc688178ab64fba5cbe03cbff7af0c9f130d9d7eee86a598b65ed3cab69268ef2866b2bf53e8c4e5cf2945448e2f122c6
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUQ:Q+856utgpPF8u/7Q

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000900000002340b-6.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340f-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023411-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023412-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023410-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023413-35.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002340c-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023414-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023415-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023416-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-70.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341a-72.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341b-84.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341e-95.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341f-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023422-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023423-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023420-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023421-120.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341d-91.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x000900000002340b-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340f-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023411-27.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023412-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023410-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023413-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002340c-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023414-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023415-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023416-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023418-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023419-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341a-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341b-84.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341e-95.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341f-102.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023422-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023423-119.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023420-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023421-120.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341d-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/2168-0-0x00007FF7B4F50000-0x00007FF7B52A4000-memory.dmp	UPX
behavioral2/files/0x000900000002340b-6.dat	UPX
behavioral2/files/0x000700000002340f-10.dat	UPX
behavioral2/memory/4220-21-0x00007FF73BD00000-0x00007FF73C054000-memory.dmp	UPX
behavioral2/files/0x0007000000023411-27.dat	UPX
behavioral2/files/0x0007000000023412-29.dat	UPX
behavioral2/memory/4676-30-0x00007FF665DB0000-0x00007FF666104000-memory.dmp	UPX
behavioral2/memory/4840-24-0x00007FF6591B0000-0x00007FF659504000-memory.dmp	UPX
behavioral2/files/0x0007000000023410-22.dat	UPX
behavioral2/memory/2280-18-0x00007FF659080000-0x00007FF6593D4000-memory.dmp	UPX
behavioral2/memory/3320-8-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp	UPX
behavioral2/files/0x0007000000023413-35.dat	UPX
behavioral2/memory/4692-40-0x00007FF7EC4B0000-0x00007FF7EC804000-memory.dmp	UPX
behavioral2/files/0x000800000002340c-39.dat	UPX
behavioral2/files/0x0007000000023414-47.dat	UPX
behavioral2/files/0x0007000000023415-52.dat	UPX
behavioral2/memory/2480-44-0x00007FF6070B0000-0x00007FF607404000-memory.dmp	UPX
behavioral2/memory/2124-57-0x00007FF653C80000-0x00007FF653FD4000-memory.dmp	UPX
behavioral2/files/0x0007000000023416-59.dat	UPX
behavioral2/files/0x0007000000023418-66.dat	UPX
behavioral2/files/0x0007000000023419-70.dat	UPX
behavioral2/files/0x000700000002341a-72.dat	UPX
behavioral2/memory/5028-75-0x00007FF615280000-0x00007FF6155D4000-memory.dmp	UPX
behavioral2/memory/1868-79-0x00007FF7FE5F0000-0x00007FF7FE944000-memory.dmp	UPX
behavioral2/memory/3576-78-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp	UPX
behavioral2/memory/2964-63-0x00007FF7CFA60000-0x00007FF7CFDB4000-memory.dmp	UPX
behavioral2/memory/1076-54-0x00007FF7E0730000-0x00007FF7E0A84000-memory.dmp	UPX
behavioral2/files/0x000700000002341b-84.dat	UPX
behavioral2/memory/1952-90-0x00007FF6856A0000-0x00007FF6859F4000-memory.dmp	UPX
behavioral2/files/0x000700000002341e-95.dat	UPX
behavioral2/memory/436-96-0x00007FF7E0440000-0x00007FF7E0794000-memory.dmp	UPX
behavioral2/files/0x000700000002341f-102.dat	UPX
behavioral2/files/0x0007000000023422-116.dat	UPX
behavioral2/files/0x0007000000023423-119.dat	UPX
behavioral2/files/0x0007000000023420-122.dat	UPX
behavioral2/files/0x0007000000023421-120.dat	UPX
behavioral2/memory/4676-114-0x00007FF665DB0000-0x00007FF666104000-memory.dmp	UPX
behavioral2/memory/4808-112-0x00007FF738800000-0x00007FF738B54000-memory.dmp	UPX
behavioral2/memory/4840-108-0x00007FF6591B0000-0x00007FF659504000-memory.dmp	UPX
behavioral2/memory/4220-106-0x00007FF73BD00000-0x00007FF73C054000-memory.dmp	UPX
behavioral2/memory/4588-99-0x00007FF6EA450000-0x00007FF6EA7A4000-memory.dmp	UPX
behavioral2/files/0x000700000002341d-91.dat	UPX
behavioral2/memory/2168-86-0x00007FF7B4F50000-0x00007FF7B52A4000-memory.dmp	UPX
behavioral2/memory/2256-128-0x00007FF643670000-0x00007FF6439C4000-memory.dmp	UPX
behavioral2/memory/4316-130-0x00007FF719F10000-0x00007FF71A264000-memory.dmp	UPX
behavioral2/memory/3056-132-0x00007FF7E20D0000-0x00007FF7E2424000-memory.dmp	UPX
behavioral2/memory/2480-133-0x00007FF6070B0000-0x00007FF607404000-memory.dmp	UPX
behavioral2/memory/4072-129-0x00007FF7AF320000-0x00007FF7AF674000-memory.dmp	UPX
behavioral2/memory/4692-131-0x00007FF7EC4B0000-0x00007FF7EC804000-memory.dmp	UPX
behavioral2/memory/2964-134-0x00007FF7CFA60000-0x00007FF7CFDB4000-memory.dmp	UPX
behavioral2/memory/3576-135-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp	UPX
behavioral2/memory/4588-136-0x00007FF6EA450000-0x00007FF6EA7A4000-memory.dmp	UPX
behavioral2/memory/2256-137-0x00007FF643670000-0x00007FF6439C4000-memory.dmp	UPX
behavioral2/memory/3320-138-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp	UPX
behavioral2/memory/2280-139-0x00007FF659080000-0x00007FF6593D4000-memory.dmp	UPX
behavioral2/memory/4220-140-0x00007FF73BD00000-0x00007FF73C054000-memory.dmp	UPX
behavioral2/memory/4840-141-0x00007FF6591B0000-0x00007FF659504000-memory.dmp	UPX
behavioral2/memory/4676-142-0x00007FF665DB0000-0x00007FF666104000-memory.dmp	UPX
behavioral2/memory/4692-143-0x00007FF7EC4B0000-0x00007FF7EC804000-memory.dmp	UPX
behavioral2/memory/2480-144-0x00007FF6070B0000-0x00007FF607404000-memory.dmp	UPX
behavioral2/memory/2124-145-0x00007FF653C80000-0x00007FF653FD4000-memory.dmp	UPX
behavioral2/memory/1076-146-0x00007FF7E0730000-0x00007FF7E0A84000-memory.dmp	UPX
behavioral2/memory/2964-147-0x00007FF7CFA60000-0x00007FF7CFDB4000-memory.dmp	UPX
behavioral2/memory/5028-148-0x00007FF615280000-0x00007FF6155D4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2168-0-0x00007FF7B4F50000-0x00007FF7B52A4000-memory.dmp	xmrig
behavioral2/files/0x000900000002340b-6.dat	xmrig
behavioral2/files/0x000700000002340f-10.dat	xmrig
behavioral2/memory/4220-21-0x00007FF73BD00000-0x00007FF73C054000-memory.dmp	xmrig
behavioral2/files/0x0007000000023411-27.dat	xmrig
behavioral2/files/0x0007000000023412-29.dat	xmrig
behavioral2/memory/4676-30-0x00007FF665DB0000-0x00007FF666104000-memory.dmp	xmrig
behavioral2/memory/4840-24-0x00007FF6591B0000-0x00007FF659504000-memory.dmp	xmrig
behavioral2/files/0x0007000000023410-22.dat	xmrig
behavioral2/memory/2280-18-0x00007FF659080000-0x00007FF6593D4000-memory.dmp	xmrig
behavioral2/memory/3320-8-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023413-35.dat	xmrig
behavioral2/memory/4692-40-0x00007FF7EC4B0000-0x00007FF7EC804000-memory.dmp	xmrig
behavioral2/files/0x000800000002340c-39.dat	xmrig
behavioral2/files/0x0007000000023414-47.dat	xmrig
behavioral2/files/0x0007000000023415-52.dat	xmrig
behavioral2/memory/2480-44-0x00007FF6070B0000-0x00007FF607404000-memory.dmp	xmrig
behavioral2/memory/2124-57-0x00007FF653C80000-0x00007FF653FD4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023416-59.dat	xmrig
behavioral2/files/0x0007000000023418-66.dat	xmrig
behavioral2/files/0x0007000000023419-70.dat	xmrig
behavioral2/files/0x000700000002341a-72.dat	xmrig
behavioral2/memory/5028-75-0x00007FF615280000-0x00007FF6155D4000-memory.dmp	xmrig
behavioral2/memory/1868-79-0x00007FF7FE5F0000-0x00007FF7FE944000-memory.dmp	xmrig
behavioral2/memory/3576-78-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp	xmrig
behavioral2/memory/2964-63-0x00007FF7CFA60000-0x00007FF7CFDB4000-memory.dmp	xmrig
behavioral2/memory/1076-54-0x00007FF7E0730000-0x00007FF7E0A84000-memory.dmp	xmrig
behavioral2/files/0x000700000002341b-84.dat	xmrig
behavioral2/memory/1952-90-0x00007FF6856A0000-0x00007FF6859F4000-memory.dmp	xmrig
behavioral2/files/0x000700000002341e-95.dat	xmrig
behavioral2/memory/436-96-0x00007FF7E0440000-0x00007FF7E0794000-memory.dmp	xmrig
behavioral2/files/0x000700000002341f-102.dat	xmrig
behavioral2/files/0x0007000000023422-116.dat	xmrig
behavioral2/files/0x0007000000023423-119.dat	xmrig
behavioral2/files/0x0007000000023420-122.dat	xmrig
behavioral2/files/0x0007000000023421-120.dat	xmrig
behavioral2/memory/4676-114-0x00007FF665DB0000-0x00007FF666104000-memory.dmp	xmrig
behavioral2/memory/4808-112-0x00007FF738800000-0x00007FF738B54000-memory.dmp	xmrig
behavioral2/memory/4840-108-0x00007FF6591B0000-0x00007FF659504000-memory.dmp	xmrig
behavioral2/memory/4220-106-0x00007FF73BD00000-0x00007FF73C054000-memory.dmp	xmrig
behavioral2/memory/4588-99-0x00007FF6EA450000-0x00007FF6EA7A4000-memory.dmp	xmrig
behavioral2/files/0x000700000002341d-91.dat	xmrig
behavioral2/memory/2168-86-0x00007FF7B4F50000-0x00007FF7B52A4000-memory.dmp	xmrig
behavioral2/memory/2256-128-0x00007FF643670000-0x00007FF6439C4000-memory.dmp	xmrig
behavioral2/memory/4316-130-0x00007FF719F10000-0x00007FF71A264000-memory.dmp	xmrig
behavioral2/memory/3056-132-0x00007FF7E20D0000-0x00007FF7E2424000-memory.dmp	xmrig
behavioral2/memory/2480-133-0x00007FF6070B0000-0x00007FF607404000-memory.dmp	xmrig
behavioral2/memory/4072-129-0x00007FF7AF320000-0x00007FF7AF674000-memory.dmp	xmrig
behavioral2/memory/4692-131-0x00007FF7EC4B0000-0x00007FF7EC804000-memory.dmp	xmrig
behavioral2/memory/2964-134-0x00007FF7CFA60000-0x00007FF7CFDB4000-memory.dmp	xmrig
behavioral2/memory/3576-135-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp	xmrig
behavioral2/memory/4588-136-0x00007FF6EA450000-0x00007FF6EA7A4000-memory.dmp	xmrig
behavioral2/memory/2256-137-0x00007FF643670000-0x00007FF6439C4000-memory.dmp	xmrig
behavioral2/memory/3320-138-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp	xmrig
behavioral2/memory/2280-139-0x00007FF659080000-0x00007FF6593D4000-memory.dmp	xmrig
behavioral2/memory/4220-140-0x00007FF73BD00000-0x00007FF73C054000-memory.dmp	xmrig
behavioral2/memory/4840-141-0x00007FF6591B0000-0x00007FF659504000-memory.dmp	xmrig
behavioral2/memory/4676-142-0x00007FF665DB0000-0x00007FF666104000-memory.dmp	xmrig
behavioral2/memory/4692-143-0x00007FF7EC4B0000-0x00007FF7EC804000-memory.dmp	xmrig
behavioral2/memory/2480-144-0x00007FF6070B0000-0x00007FF607404000-memory.dmp	xmrig
behavioral2/memory/2124-145-0x00007FF653C80000-0x00007FF653FD4000-memory.dmp	xmrig
behavioral2/memory/1076-146-0x00007FF7E0730000-0x00007FF7E0A84000-memory.dmp	xmrig
behavioral2/memory/2964-147-0x00007FF7CFA60000-0x00007FF7CFDB4000-memory.dmp	xmrig
behavioral2/memory/5028-148-0x00007FF615280000-0x00007FF6155D4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3320	aQRSgoV.exe
2280	CXULgif.exe
4220	fxDqSmn.exe
4840	XisYWFw.exe
4676	yHlGUtq.exe
4692	uRCBgFh.exe
2480	oAaSkvI.exe
1076	sWjpmFf.exe
2124	adltvjD.exe
2964	gzhTWag.exe
5028	qZpCxHT.exe
3576	kfDzjLJ.exe
1868	shYjVgT.exe
1952	SpsebdN.exe
436	gmflafR.exe
4588	onhUzPh.exe
4808	ValmEUO.exe
2256	sYwZHMQ.exe
3056	etPLkcO.exe
4072	iZaIPdE.exe
4316	MhAaZSv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2168-0-0x00007FF7B4F50000-0x00007FF7B52A4000-memory.dmp	upx
behavioral2/files/0x000900000002340b-6.dat	upx
behavioral2/files/0x000700000002340f-10.dat	upx
behavioral2/memory/4220-21-0x00007FF73BD00000-0x00007FF73C054000-memory.dmp	upx
behavioral2/files/0x0007000000023411-27.dat	upx
behavioral2/files/0x0007000000023412-29.dat	upx
behavioral2/memory/4676-30-0x00007FF665DB0000-0x00007FF666104000-memory.dmp	upx
behavioral2/memory/4840-24-0x00007FF6591B0000-0x00007FF659504000-memory.dmp	upx
behavioral2/files/0x0007000000023410-22.dat	upx
behavioral2/memory/2280-18-0x00007FF659080000-0x00007FF6593D4000-memory.dmp	upx
behavioral2/memory/3320-8-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp	upx
behavioral2/files/0x0007000000023413-35.dat	upx
behavioral2/memory/4692-40-0x00007FF7EC4B0000-0x00007FF7EC804000-memory.dmp	upx
behavioral2/files/0x000800000002340c-39.dat	upx
behavioral2/files/0x0007000000023414-47.dat	upx
behavioral2/files/0x0007000000023415-52.dat	upx
behavioral2/memory/2480-44-0x00007FF6070B0000-0x00007FF607404000-memory.dmp	upx
behavioral2/memory/2124-57-0x00007FF653C80000-0x00007FF653FD4000-memory.dmp	upx
behavioral2/files/0x0007000000023416-59.dat	upx
behavioral2/files/0x0007000000023418-66.dat	upx
behavioral2/files/0x0007000000023419-70.dat	upx
behavioral2/files/0x000700000002341a-72.dat	upx
behavioral2/memory/5028-75-0x00007FF615280000-0x00007FF6155D4000-memory.dmp	upx
behavioral2/memory/1868-79-0x00007FF7FE5F0000-0x00007FF7FE944000-memory.dmp	upx
behavioral2/memory/3576-78-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp	upx
behavioral2/memory/2964-63-0x00007FF7CFA60000-0x00007FF7CFDB4000-memory.dmp	upx
behavioral2/memory/1076-54-0x00007FF7E0730000-0x00007FF7E0A84000-memory.dmp	upx
behavioral2/files/0x000700000002341b-84.dat	upx
behavioral2/memory/1952-90-0x00007FF6856A0000-0x00007FF6859F4000-memory.dmp	upx
behavioral2/files/0x000700000002341e-95.dat	upx
behavioral2/memory/436-96-0x00007FF7E0440000-0x00007FF7E0794000-memory.dmp	upx
behavioral2/files/0x000700000002341f-102.dat	upx
behavioral2/files/0x0007000000023422-116.dat	upx
behavioral2/files/0x0007000000023423-119.dat	upx
behavioral2/files/0x0007000000023420-122.dat	upx
behavioral2/files/0x0007000000023421-120.dat	upx
behavioral2/memory/4676-114-0x00007FF665DB0000-0x00007FF666104000-memory.dmp	upx
behavioral2/memory/4808-112-0x00007FF738800000-0x00007FF738B54000-memory.dmp	upx
behavioral2/memory/4840-108-0x00007FF6591B0000-0x00007FF659504000-memory.dmp	upx
behavioral2/memory/4220-106-0x00007FF73BD00000-0x00007FF73C054000-memory.dmp	upx
behavioral2/memory/4588-99-0x00007FF6EA450000-0x00007FF6EA7A4000-memory.dmp	upx
behavioral2/files/0x000700000002341d-91.dat	upx
behavioral2/memory/2168-86-0x00007FF7B4F50000-0x00007FF7B52A4000-memory.dmp	upx
behavioral2/memory/2256-128-0x00007FF643670000-0x00007FF6439C4000-memory.dmp	upx
behavioral2/memory/4316-130-0x00007FF719F10000-0x00007FF71A264000-memory.dmp	upx
behavioral2/memory/3056-132-0x00007FF7E20D0000-0x00007FF7E2424000-memory.dmp	upx
behavioral2/memory/2480-133-0x00007FF6070B0000-0x00007FF607404000-memory.dmp	upx
behavioral2/memory/4072-129-0x00007FF7AF320000-0x00007FF7AF674000-memory.dmp	upx
behavioral2/memory/4692-131-0x00007FF7EC4B0000-0x00007FF7EC804000-memory.dmp	upx
behavioral2/memory/2964-134-0x00007FF7CFA60000-0x00007FF7CFDB4000-memory.dmp	upx
behavioral2/memory/3576-135-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp	upx
behavioral2/memory/4588-136-0x00007FF6EA450000-0x00007FF6EA7A4000-memory.dmp	upx
behavioral2/memory/2256-137-0x00007FF643670000-0x00007FF6439C4000-memory.dmp	upx
behavioral2/memory/3320-138-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp	upx
behavioral2/memory/2280-139-0x00007FF659080000-0x00007FF6593D4000-memory.dmp	upx
behavioral2/memory/4220-140-0x00007FF73BD00000-0x00007FF73C054000-memory.dmp	upx
behavioral2/memory/4840-141-0x00007FF6591B0000-0x00007FF659504000-memory.dmp	upx
behavioral2/memory/4676-142-0x00007FF665DB0000-0x00007FF666104000-memory.dmp	upx
behavioral2/memory/4692-143-0x00007FF7EC4B0000-0x00007FF7EC804000-memory.dmp	upx
behavioral2/memory/2480-144-0x00007FF6070B0000-0x00007FF607404000-memory.dmp	upx
behavioral2/memory/2124-145-0x00007FF653C80000-0x00007FF653FD4000-memory.dmp	upx
behavioral2/memory/1076-146-0x00007FF7E0730000-0x00007FF7E0A84000-memory.dmp	upx
behavioral2/memory/2964-147-0x00007FF7CFA60000-0x00007FF7CFDB4000-memory.dmp	upx
behavioral2/memory/5028-148-0x00007FF615280000-0x00007FF6155D4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\fxDqSmn.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XisYWFw.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qZpCxHT.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sYwZHMQ.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\etPLkcO.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iZaIPdE.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CXULgif.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\shYjVgT.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SpsebdN.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gmflafR.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ValmEUO.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aQRSgoV.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oAaSkvI.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sWjpmFf.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\adltvjD.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MhAaZSv.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yHlGUtq.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uRCBgFh.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gzhTWag.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kfDzjLJ.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\onhUzPh.exe	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 3320	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	85
PID 2168 wrote to memory of 3320	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	85
PID 2168 wrote to memory of 2280	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	86
PID 2168 wrote to memory of 2280	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	86
PID 2168 wrote to memory of 4220	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	87
PID 2168 wrote to memory of 4220	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	87
PID 2168 wrote to memory of 4840	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	88
PID 2168 wrote to memory of 4840	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	88
PID 2168 wrote to memory of 4676	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	89
PID 2168 wrote to memory of 4676	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	89
PID 2168 wrote to memory of 4692	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	91
PID 2168 wrote to memory of 4692	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	91
PID 2168 wrote to memory of 2480	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	94
PID 2168 wrote to memory of 2480	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	94
PID 2168 wrote to memory of 1076	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	95
PID 2168 wrote to memory of 1076	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	95
PID 2168 wrote to memory of 2124	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	96
PID 2168 wrote to memory of 2124	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	96
PID 2168 wrote to memory of 2964	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	98
PID 2168 wrote to memory of 2964	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	98
PID 2168 wrote to memory of 5028	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	99
PID 2168 wrote to memory of 5028	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	99
PID 2168 wrote to memory of 3576	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	100
PID 2168 wrote to memory of 3576	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	100
PID 2168 wrote to memory of 1868	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	101
PID 2168 wrote to memory of 1868	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	101
PID 2168 wrote to memory of 1952	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	104
PID 2168 wrote to memory of 1952	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	104
PID 2168 wrote to memory of 436	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	106
PID 2168 wrote to memory of 436	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	106
PID 2168 wrote to memory of 4588	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	107
PID 2168 wrote to memory of 4588	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	107
PID 2168 wrote to memory of 4808	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	108
PID 2168 wrote to memory of 4808	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	108
PID 2168 wrote to memory of 2256	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	109
PID 2168 wrote to memory of 2256	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	109
PID 2168 wrote to memory of 3056	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	110
PID 2168 wrote to memory of 3056	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	110
PID 2168 wrote to memory of 4072	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	112
PID 2168 wrote to memory of 4072	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	112
PID 2168 wrote to memory of 4316	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	113
PID 2168 wrote to memory of 4316	2168	2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe	113

C:\Users\Admin\AppData\Local\Temp\2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_065763a67479bb661c6a95ea07408955_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\System\aQRSgoV.exe
  C:\Windows\System\aQRSgoV.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System\CXULgif.exe
  C:\Windows\System\CXULgif.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\fxDqSmn.exe
  C:\Windows\System\fxDqSmn.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\XisYWFw.exe
  C:\Windows\System\XisYWFw.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\yHlGUtq.exe
  C:\Windows\System\yHlGUtq.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\uRCBgFh.exe
  C:\Windows\System\uRCBgFh.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\oAaSkvI.exe
  C:\Windows\System\oAaSkvI.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\sWjpmFf.exe
  C:\Windows\System\sWjpmFf.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System\adltvjD.exe
  C:\Windows\System\adltvjD.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System\gzhTWag.exe
  C:\Windows\System\gzhTWag.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\qZpCxHT.exe
  C:\Windows\System\qZpCxHT.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\kfDzjLJ.exe
  C:\Windows\System\kfDzjLJ.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\shYjVgT.exe
  C:\Windows\System\shYjVgT.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System\SpsebdN.exe
  C:\Windows\System\SpsebdN.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\gmflafR.exe
  C:\Windows\System\gmflafR.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\onhUzPh.exe
  C:\Windows\System\onhUzPh.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System\ValmEUO.exe
  C:\Windows\System\ValmEUO.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\sYwZHMQ.exe
  C:\Windows\System\sYwZHMQ.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\etPLkcO.exe
  C:\Windows\System\etPLkcO.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\iZaIPdE.exe
  C:\Windows\System\iZaIPdE.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System\MhAaZSv.exe
  C:\Windows\System\MhAaZSv.exe
  2⤵
  - Executes dropped EXE
  PID:4316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CXULgif.exe

Filesize
5.9MB

MD5
766c8f3bd6f783d8b00fec66ff226b4a

SHA1
887c07fc66ebc9d964f2f985b16c0969ac898078

SHA256
9a4dfc2c17fbf6475b4e169ee72dcc3724ed490e70ea92f473dcdd16ff8ee5c5

SHA512
a44a4d893f0e20dfc487373fee6a1d306656595829758dce85b71de6dc64497003fc79f6593eaad1a7e40b25c30c63798dd186e61d091cc7b7929578471c9ff0

Download Submit
C:\Windows\System\MhAaZSv.exe

Filesize
5.9MB

MD5
8a5bc68c4c41d6f32b90d5b72546ed53

SHA1
b1eab8d982396f68caf6e2e8cb2555d60a55ce8c

SHA256
ab90cdf070fffa86e14d64ae89ce54307984c8566497959ed08d0a8345053873

SHA512
dfc880cbd519db2a4f7689c42dd2c2df667ebdbc4e707c2e12dfa268c1a863c7dc140dcb563091338c2c86f927444a7589e361a2c458e5dc446c9e86b12ca699

Download Submit
C:\Windows\System\SpsebdN.exe

Filesize
5.9MB

MD5
c2dcfd0cf1f87eed7c961b30826aa472

SHA1
9ac1f7178c59baee86cd4b1f9b0de8fb1e43afa0

SHA256
be49b8eda54898455d300bec6b3dc2b56f3a5c676c9d0f1aa8ff39a91c531237

SHA512
4cfcfa7ee8dc324f5411c32326bb4a74aede0a29bdf680e97b0138199f1b12d095ebc9cf6fdcf7b75d406fc75f4b5906fa5f7b6a430e400ef38b28fa41e7691b

Download Submit
C:\Windows\System\ValmEUO.exe

Filesize
5.9MB

MD5
4673a3516b7d539b0e81aed0dd4c91c5

SHA1
9b0ef2faf5e09a543c49f600f439a617463ca8e7

SHA256
b1be3b7959f309aae969eedddeba41c39df4285a3e81d7d1f4946a0eb83608ec

SHA512
a1c99b872acc8d1e3e5a08773b93bf2d9129d9f3942f420887939f8c10ebdc7723818ae368e1159e0a628edadc119ef9c915edd3469968105f0d0735457259ab

Download Submit
C:\Windows\System\XisYWFw.exe

Filesize
5.9MB

MD5
9c9f6d87698dad8a4a320774dc4c8e5f

SHA1
51bc102809d49019421d20628d4710ff098493f0

SHA256
c014e410329d71a98715b71f6f09ff082037fcff5865ecf9b3d9cd4221346960

SHA512
1a723362b4f42be967d0bdb2743d553730411baa2c7670e9433e3672f05be587020610fc225afbd54001cfc1c4b6c6a7ce15f0c125ae573d83ef2c658cbae584

Download Submit
C:\Windows\System\aQRSgoV.exe

Filesize
5.9MB

MD5
6d61df7eef0dd815def29d6e90aac4ef

SHA1
e03ce73efc2929d90b7a5ba3526e462dc359f298

SHA256
28daaa2ba34e5b504825ee34a44deebec06289834ecf2b876e767ed4b55c671b

SHA512
0e13b95cca7050a46af607e0f044bf9f03289b9d029a8e6d5a4b5291d9df37b3e57ae1f00e1613b66dbc95ab278b906e7e9013cafdee39232b278fa3774a92a4

Download Submit
C:\Windows\System\adltvjD.exe

Filesize
5.9MB

MD5
6e627a7003d000d502da97ca69fce858

SHA1
f6a5a3f42c9b17e6484daed4b4913eddd5081627

SHA256
7d47d0c81cb30941c2a2b7e1f9c7be94f44f2d9aa164babb1e8db692d1aa44d7

SHA512
62ef0907b70415aecbe72edc0dbdfef2759ea621305d099c939ce61c76108427bab19ed49175b96ea89f5dd3d5249b554ed103c18ca01d1f1d18883ac39f3c15

Download Submit
C:\Windows\System\etPLkcO.exe

Filesize
5.9MB

MD5
3f306fe32cda450f223d0487c01ce60d

SHA1
685f151dc5bcec82de52f6e6f74d677ac0918126

SHA256
1e4d8b3866b58b2e5a37c9edf0316ac938d5353b470b7a391cb60bd833fa8bbc

SHA512
1f1c4fb5c4c07ff5daa81741cf3dcfc1fcef763259102cdadd48cd4c7deb98051387e8090744f5923fd8da2b69e825f89c0184e5b28f978129e8da39188cb922

Download Submit
C:\Windows\System\fxDqSmn.exe

Filesize
5.9MB

MD5
b6f37da93b0ac2998847ed2f61475837

SHA1
2f83b7a4ffb8c399aac4269dcd4885a7086509e6

SHA256
9624ca05dbfe7cc77f7d01143898ad7a3bd86869ba53c8b0bba97298086e7c22

SHA512
df3a9c5da57daf94bfb2bc2497c74dc97818a05e667e293c13d801f475afc3d846356854f534f79a33b9d5ca58b5a6732fa002635710fe33e8207458eeeb5ca8

Download Submit
C:\Windows\System\gmflafR.exe

Filesize
5.9MB

MD5
0a54136103fa01c33ed08fdbaed71dea

SHA1
9dde17117762926a6d6a4b0f4a8dcd5ae43e7748

SHA256
425b4646af5ee8e949c6d966d4289c5531d08c5d1c52b2c1166a77522258c674

SHA512
1f28415561cc963587106e38d4ebdc475350cc709d0efb435dcdc4a49e6dbe4be3af11f0d9818810beac55e6e82f6602ca512dc0e244fbe8c623b3923caa6bca

Download Submit
C:\Windows\System\gzhTWag.exe

Filesize
5.9MB

MD5
f4454fe7e09885b4aa276fd11ba0de1f

SHA1
61d5a1541248e74c47315d809985611c31ed02d2

SHA256
c40f269ce893250a7dd4ce4fe1e4a4c2fb3c0643d0fc65e73b0164c49bc16c04

SHA512
610c214fb5b7d3ca19e41d19cbd6e3048694570be1e4cf07a33ef78c83a09b52e2708581f1db896366dd7786c6f25b468fc111cc0b14c5bb6392bb2488f1c3c0

Download Submit
C:\Windows\System\iZaIPdE.exe

Filesize
5.9MB

MD5
e276866998b2e76d47424aec1ef26555

SHA1
29823ce0be542ae7312db41cdedd110830a0c7d7

SHA256
388387f9c4d9bb74ecbe059b12ede1c10032b6e59fcffd7fc7f699581ab23d3c

SHA512
428254897f17d9601b4244e72d304dd9f856b1b929abfbc20260684f5cef153b9be418a0172e032fcf575393d97a26f748fc0c279c75838cb2fbe2835c061b25

Download Submit
C:\Windows\System\kfDzjLJ.exe

Filesize
5.9MB

MD5
31400833a55c2c85ec0bf21465b7f9bb

SHA1
1499cd53c8d5677013370cab25c31a56eb5e97ea

SHA256
89c4b275571670d66e4bfb2880b04ed945759da38debf4b3a5d0c2f85065ee60

SHA512
51770ecca290882f81bfaee22d99bfc1bb907948462baf54b1c49c09aa9b7b38c40990d42bc6e08ad9bfe7ce7b4f494430d0486572d4e85ce5ab51517a197efd

Download Submit
C:\Windows\System\oAaSkvI.exe

Filesize
5.9MB

MD5
429feecbad48590282507e704b8c18bc

SHA1
7ad187d228ce9898109cb7d5a47fdfe2f04d3fa1

SHA256
85f06da6f4a876d26796b97340006734bdcb255de20433b546af99320e485907

SHA512
ef45a29d490f6838ce0cf4d89ad21e14b164876cb84c66cc6e30b8c5960849c54c6e5c11986b55ed22c864df5f619276e18044d6964a668d54c3809761fd6ee5

Download Submit
C:\Windows\System\onhUzPh.exe

Filesize
5.9MB

MD5
d8cedfe70e5bc2e558370dd76b59b9c7

SHA1
0fb708cde7feb594d1ee8a913b70a2ea5c58ac52

SHA256
3a365743640cc66584059554fb4e06dfca369835ffb3431f09d518ff73bfa4f5

SHA512
33de35652cbb4decdfbe1dfd79d337bca758368065762b0abe979d934392fdf34b5dd61394dfd82b7db987b1245fca616cdab820749cbdff35cd5d7ac7dca209

Download Submit
C:\Windows\System\qZpCxHT.exe

Filesize
5.9MB

MD5
b1b22c1b8e38766c398fc78c2268fc76

SHA1
0e71ae89d5489fcfd05df9e6c79ca567e11d42f9

SHA256
d51079cbc1b4e2b828b130836309d422bbf70912127d994a2c6a5fbeebad941e

SHA512
daa5a8c8995b193cbfff68e90663ff080470b9c7bf84352f672cc960779b78f902157092f7c3c08cf5a2dc183fff9422ce424e6bc03c9f5ce26c269b5db39a5c

Download Submit
C:\Windows\System\sWjpmFf.exe

Filesize
5.9MB

MD5
61c05241a3d393ddcd483a3bbc7733c2

SHA1
7cdab423acce8f23fafec666421bd1414abc85e6

SHA256
969f3424e49401c6a42f67fea73f05a0747d7fcd6a97a20b7820955cb504b11c

SHA512
f3a67551fb3490a39283c5c9bd5998ce6329fbe20cb0d500a1dfdf0979b85b28d14316c01146895053ec957ac8161dbde122fad9501d6a3a704467302f84fa6c

Download Submit
C:\Windows\System\sYwZHMQ.exe

Filesize
5.9MB

MD5
3fe9b7e631110a456dea2797f8b74a2d

SHA1
6811eb8b7cf81e95e8ee16d6363b1bf44c7f8ff9

SHA256
135561a30d44d098be66b05d2afa4276384ca6627ba2d74084d9ecee1f0992be

SHA512
d23c17deb95c130b36604b32d7daa2600c72223cb076049628ed4045dd63e0ff4d23faa90cbabca5985674fcc2f513ed014bc4dab446a118ebef254320a2aa0c

Download Submit
C:\Windows\System\shYjVgT.exe

Filesize
5.9MB

MD5
47399b3f2a7710e55d3bf2bd67125662

SHA1
56b9a7d6be64608b8baaf69cce923e64f96f28a9

SHA256
e68bf76f745ca170ec23fc484a4e15d9000d889e5f6622b3bd0670f5c045ab25

SHA512
416efab90906d88b2901d406c2880d050b2503a01553126adce0429279a8710157824de4f6a22777c067da39dc622a7c7f829b49ca7cd33ab7af72cab57a17c8

Download Submit
C:\Windows\System\uRCBgFh.exe

Filesize
5.9MB

MD5
b9c171c7ddb2fae6e7275fcc6c497fbf

SHA1
5e1971b0fd3f41c5c4b6c6f0927b23a2e1580e09

SHA256
4624bccc42a99935456349da4d6651508a2abdf3f1b9d56da3fd45105669548c

SHA512
1342e11ed7067db2f88a81e8c6a121f017933a37565295833bdddb43c58028ac2393ed0adaacf98bbb5666810461257740887b1fb0d41e39e83d470de6992366

Download Submit
C:\Windows\System\yHlGUtq.exe

Filesize
5.9MB

MD5
df7a2a78315dae6daecb0107254a0a41

SHA1
14fcc92fc4ffb8c57a0fb706ad8be6ece84852c0

SHA256
2242bc0ba5682542a0bc2ad958d3c11e0e664c9373b4e2e89cea1d3c53d5fa47

SHA512
e83a69a3fe6d93fa67f663e4daebe521beb1cba98264218b2ff25815b8094d0b942fedee5a8d237299df24079a8bc6acc53a662538bf4e3cc7f30ea0d43dc933

Download Submit
memory/436-96-0x00007FF7E0440000-0x00007FF7E0794000-memory.dmp

Filesize
3.3MB

Download
memory/436-152-0x00007FF7E0440000-0x00007FF7E0794000-memory.dmp

Filesize
3.3MB

Download
memory/1076-146-0x00007FF7E0730000-0x00007FF7E0A84000-memory.dmp

Filesize
3.3MB

Download
memory/1076-54-0x00007FF7E0730000-0x00007FF7E0A84000-memory.dmp

Filesize
3.3MB

Download
memory/1868-149-0x00007FF7FE5F0000-0x00007FF7FE944000-memory.dmp

Filesize
3.3MB

Download
memory/1868-79-0x00007FF7FE5F0000-0x00007FF7FE944000-memory.dmp

Filesize
3.3MB

Download
memory/1952-151-0x00007FF6856A0000-0x00007FF6859F4000-memory.dmp

Filesize
3.3MB

Download
memory/1952-90-0x00007FF6856A0000-0x00007FF6859F4000-memory.dmp

Filesize
3.3MB

Download
memory/2124-57-0x00007FF653C80000-0x00007FF653FD4000-memory.dmp

Filesize
3.3MB

Download
memory/2124-145-0x00007FF653C80000-0x00007FF653FD4000-memory.dmp

Filesize
3.3MB

Download
memory/2168-0-0x00007FF7B4F50000-0x00007FF7B52A4000-memory.dmp

Filesize
3.3MB

Download
memory/2168-86-0x00007FF7B4F50000-0x00007FF7B52A4000-memory.dmp

Filesize
3.3MB

Download
memory/2168-1-0x0000025631D70000-0x0000025631D80000-memory.dmp

Filesize
64KB

Download
memory/2256-156-0x00007FF643670000-0x00007FF6439C4000-memory.dmp

Filesize
3.3MB

Download
memory/2256-137-0x00007FF643670000-0x00007FF6439C4000-memory.dmp

Filesize
3.3MB

Download
memory/2256-128-0x00007FF643670000-0x00007FF6439C4000-memory.dmp

Filesize
3.3MB

Download
memory/2280-18-0x00007FF659080000-0x00007FF6593D4000-memory.dmp

Filesize
3.3MB

Download
memory/2280-139-0x00007FF659080000-0x00007FF6593D4000-memory.dmp

Filesize
3.3MB

Download
memory/2480-44-0x00007FF6070B0000-0x00007FF607404000-memory.dmp

Filesize
3.3MB

Download
memory/2480-133-0x00007FF6070B0000-0x00007FF607404000-memory.dmp

Filesize
3.3MB

Download
memory/2480-144-0x00007FF6070B0000-0x00007FF607404000-memory.dmp

Filesize
3.3MB

Download
memory/2964-63-0x00007FF7CFA60000-0x00007FF7CFDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2964-134-0x00007FF7CFA60000-0x00007FF7CFDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2964-147-0x00007FF7CFA60000-0x00007FF7CFDB4000-memory.dmp

Filesize
3.3MB

Download
memory/3056-158-0x00007FF7E20D0000-0x00007FF7E2424000-memory.dmp

Filesize
3.3MB

Download
memory/3056-132-0x00007FF7E20D0000-0x00007FF7E2424000-memory.dmp

Filesize
3.3MB

Download
memory/3320-8-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp

Filesize
3.3MB

Download
memory/3320-138-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp

Filesize
3.3MB

Download
memory/3576-135-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp

Filesize
3.3MB

Download
memory/3576-150-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp

Filesize
3.3MB

Download
memory/3576-78-0x00007FF7CBA30000-0x00007FF7CBD84000-memory.dmp

Filesize
3.3MB

Download
memory/4072-129-0x00007FF7AF320000-0x00007FF7AF674000-memory.dmp

Filesize
3.3MB

Download
memory/4072-157-0x00007FF7AF320000-0x00007FF7AF674000-memory.dmp

Filesize
3.3MB

Download
memory/4220-21-0x00007FF73BD00000-0x00007FF73C054000-memory.dmp

Filesize
3.3MB

Download
memory/4220-106-0x00007FF73BD00000-0x00007FF73C054000-memory.dmp

Filesize
3.3MB

Download
memory/4220-140-0x00007FF73BD00000-0x00007FF73C054000-memory.dmp

Filesize
3.3MB

Download
memory/4316-130-0x00007FF719F10000-0x00007FF71A264000-memory.dmp

Filesize
3.3MB

Download
memory/4316-155-0x00007FF719F10000-0x00007FF71A264000-memory.dmp

Filesize
3.3MB

Download
memory/4588-99-0x00007FF6EA450000-0x00007FF6EA7A4000-memory.dmp

Filesize
3.3MB

Download
memory/4588-154-0x00007FF6EA450000-0x00007FF6EA7A4000-memory.dmp

Filesize
3.3MB

Download
memory/4588-136-0x00007FF6EA450000-0x00007FF6EA7A4000-memory.dmp

Filesize
3.3MB

Download
memory/4676-114-0x00007FF665DB0000-0x00007FF666104000-memory.dmp

Filesize
3.3MB

Download
memory/4676-30-0x00007FF665DB0000-0x00007FF666104000-memory.dmp

Filesize
3.3MB

Download
memory/4676-142-0x00007FF665DB0000-0x00007FF666104000-memory.dmp

Filesize
3.3MB

Download
memory/4692-143-0x00007FF7EC4B0000-0x00007FF7EC804000-memory.dmp

Filesize
3.3MB

Download
memory/4692-40-0x00007FF7EC4B0000-0x00007FF7EC804000-memory.dmp

Filesize
3.3MB

Download
memory/4692-131-0x00007FF7EC4B0000-0x00007FF7EC804000-memory.dmp

Filesize
3.3MB

Download
memory/4808-112-0x00007FF738800000-0x00007FF738B54000-memory.dmp

Filesize
3.3MB

Download
memory/4808-153-0x00007FF738800000-0x00007FF738B54000-memory.dmp

Filesize
3.3MB

Download
memory/4840-108-0x00007FF6591B0000-0x00007FF659504000-memory.dmp

Filesize
3.3MB

Download
memory/4840-24-0x00007FF6591B0000-0x00007FF659504000-memory.dmp

Filesize
3.3MB

Download
memory/4840-141-0x00007FF6591B0000-0x00007FF659504000-memory.dmp

Filesize
3.3MB

Download
memory/5028-148-0x00007FF615280000-0x00007FF6155D4000-memory.dmp

Filesize
3.3MB

Download
memory/5028-75-0x00007FF615280000-0x00007FF6155D4000-memory.dmp

Filesize
3.3MB

Download