cobaltstrike | 98fdb3952f5fd096a4b3f7605d5dbd58ef52ed8efc2984ba87db8f263f9647f6

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

f4ec19f830dffa2caae36960f513434d
SHA1

e1e42c722735333949fde4cd1901dfb8d4f81d82
SHA256

98fdb3952f5fd096a4b3f7605d5dbd58ef52ed8efc2984ba87db8f263f9647f6
SHA512

aa484a3a3d0afc8cf60caf82648c992198db5e62d63faf8e5eb1372508ed5195448495dd546d731fae6f5a863f24870d4c2475db52ae95893a01ba54247b56fe
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUo:Q+856utgpPF8u/7o

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000233bb-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c0-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233bf-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c1-24.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c3-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c2-33.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c4-42.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c5-49.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c6-53.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233bc-60.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c9-77.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ce-99.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cf-103.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d0-114.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cd-96.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cc-92.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cb-86.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ca-79.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c8-73.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d1-120.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d2-122.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233bb-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c0-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233bf-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c1-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c3-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c2-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c4-42.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c5-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c6-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00080000000233bc-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c9-77.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233ce-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233cf-103.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d0-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233cd-96.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233cc-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233cb-86.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233ca-79.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c8-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d1-120.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d2-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3576-0-0x00007FF7D2590000-0x00007FF7D28E4000-memory.dmp	UPX
behavioral2/files/0x00080000000233bb-4.dat	UPX
behavioral2/files/0x00070000000233c0-10.dat	UPX
behavioral2/files/0x00070000000233bf-11.dat	UPX
behavioral2/files/0x00070000000233c1-24.dat	UPX
behavioral2/memory/1076-28-0x00007FF713530000-0x00007FF713884000-memory.dmp	UPX
behavioral2/files/0x00070000000233c3-35.dat	UPX
behavioral2/files/0x00070000000233c2-33.dat	UPX
behavioral2/memory/988-37-0x00007FF6A5930000-0x00007FF6A5C84000-memory.dmp	UPX
behavioral2/files/0x00070000000233c4-42.dat	UPX
behavioral2/memory/3924-47-0x00007FF6CA730000-0x00007FF6CAA84000-memory.dmp	UPX
behavioral2/files/0x00070000000233c5-49.dat	UPX
behavioral2/memory/4280-48-0x00007FF77EEC0000-0x00007FF77F214000-memory.dmp	UPX
behavioral2/memory/4816-39-0x00007FF649D90000-0x00007FF64A0E4000-memory.dmp	UPX
behavioral2/memory/4272-20-0x00007FF788AA0000-0x00007FF788DF4000-memory.dmp	UPX
behavioral2/memory/2396-14-0x00007FF65F900000-0x00007FF65FC54000-memory.dmp	UPX
behavioral2/memory/4972-8-0x00007FF68C010000-0x00007FF68C364000-memory.dmp	UPX
behavioral2/files/0x00070000000233c6-53.dat	UPX
behavioral2/memory/1364-54-0x00007FF6D85E0000-0x00007FF6D8934000-memory.dmp	UPX
behavioral2/files/0x00080000000233bc-60.dat	UPX
behavioral2/files/0x00070000000233c9-77.dat	UPX
behavioral2/memory/3576-83-0x00007FF7D2590000-0x00007FF7D28E4000-memory.dmp	UPX
behavioral2/files/0x00070000000233ce-99.dat	UPX
behavioral2/files/0x00070000000233cf-103.dat	UPX
behavioral2/memory/2196-113-0x00007FF64AE70000-0x00007FF64B1C4000-memory.dmp	UPX
behavioral2/memory/1984-117-0x00007FF622F80000-0x00007FF6232D4000-memory.dmp	UPX
behavioral2/memory/1388-116-0x00007FF62C560000-0x00007FF62C8B4000-memory.dmp	UPX
behavioral2/files/0x00070000000233d0-114.dat	UPX
behavioral2/memory/3292-110-0x00007FF659C90000-0x00007FF659FE4000-memory.dmp	UPX
behavioral2/memory/1976-106-0x00007FF6D2D10000-0x00007FF6D3064000-memory.dmp	UPX
behavioral2/memory/2172-102-0x00007FF7D35A0000-0x00007FF7D38F4000-memory.dmp	UPX
behavioral2/memory/536-98-0x00007FF7B4870000-0x00007FF7B4BC4000-memory.dmp	UPX
behavioral2/files/0x00070000000233cd-96.dat	UPX
behavioral2/files/0x00070000000233cc-92.dat	UPX
behavioral2/files/0x00070000000233cb-86.dat	UPX
behavioral2/files/0x00070000000233ca-79.dat	UPX
behavioral2/memory/1316-74-0x00007FF6BA560000-0x00007FF6BA8B4000-memory.dmp	UPX
behavioral2/files/0x00070000000233c8-73.dat	UPX
behavioral2/memory/4860-69-0x00007FF676810000-0x00007FF676B64000-memory.dmp	UPX
behavioral2/memory/4876-68-0x00007FF65DE10000-0x00007FF65E164000-memory.dmp	UPX
behavioral2/files/0x00070000000233d1-120.dat	UPX
behavioral2/files/0x00070000000233d2-122.dat	UPX
behavioral2/memory/4668-128-0x00007FF7D83B0000-0x00007FF7D8704000-memory.dmp	UPX
behavioral2/memory/2332-127-0x00007FF7B52D0000-0x00007FF7B5624000-memory.dmp	UPX
behavioral2/memory/4280-129-0x00007FF77EEC0000-0x00007FF77F214000-memory.dmp	UPX
behavioral2/memory/1364-130-0x00007FF6D85E0000-0x00007FF6D8934000-memory.dmp	UPX
behavioral2/memory/4860-131-0x00007FF676810000-0x00007FF676B64000-memory.dmp	UPX
behavioral2/memory/1316-132-0x00007FF6BA560000-0x00007FF6BA8B4000-memory.dmp	UPX
behavioral2/memory/4972-133-0x00007FF68C010000-0x00007FF68C364000-memory.dmp	UPX
behavioral2/memory/2396-134-0x00007FF65F900000-0x00007FF65FC54000-memory.dmp	UPX
behavioral2/memory/4272-135-0x00007FF788AA0000-0x00007FF788DF4000-memory.dmp	UPX
behavioral2/memory/1076-136-0x00007FF713530000-0x00007FF713884000-memory.dmp	UPX
behavioral2/memory/988-138-0x00007FF6A5930000-0x00007FF6A5C84000-memory.dmp	UPX
behavioral2/memory/4816-137-0x00007FF649D90000-0x00007FF64A0E4000-memory.dmp	UPX
behavioral2/memory/3924-139-0x00007FF6CA730000-0x00007FF6CAA84000-memory.dmp	UPX
behavioral2/memory/4280-140-0x00007FF77EEC0000-0x00007FF77F214000-memory.dmp	UPX
behavioral2/memory/1364-141-0x00007FF6D85E0000-0x00007FF6D8934000-memory.dmp	UPX
behavioral2/memory/4876-142-0x00007FF65DE10000-0x00007FF65E164000-memory.dmp	UPX
behavioral2/memory/1316-143-0x00007FF6BA560000-0x00007FF6BA8B4000-memory.dmp	UPX
behavioral2/memory/536-144-0x00007FF7B4870000-0x00007FF7B4BC4000-memory.dmp	UPX
behavioral2/memory/4860-145-0x00007FF676810000-0x00007FF676B64000-memory.dmp	UPX
behavioral2/memory/1976-148-0x00007FF6D2D10000-0x00007FF6D3064000-memory.dmp	UPX
behavioral2/memory/2172-147-0x00007FF7D35A0000-0x00007FF7D38F4000-memory.dmp	UPX
behavioral2/memory/3292-146-0x00007FF659C90000-0x00007FF659FE4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3576-0-0x00007FF7D2590000-0x00007FF7D28E4000-memory.dmp	xmrig
behavioral2/files/0x00080000000233bb-4.dat	xmrig
behavioral2/files/0x00070000000233c0-10.dat	xmrig
behavioral2/files/0x00070000000233bf-11.dat	xmrig
behavioral2/files/0x00070000000233c1-24.dat	xmrig
behavioral2/memory/1076-28-0x00007FF713530000-0x00007FF713884000-memory.dmp	xmrig
behavioral2/files/0x00070000000233c3-35.dat	xmrig
behavioral2/files/0x00070000000233c2-33.dat	xmrig
behavioral2/memory/988-37-0x00007FF6A5930000-0x00007FF6A5C84000-memory.dmp	xmrig
behavioral2/files/0x00070000000233c4-42.dat	xmrig
behavioral2/memory/3924-47-0x00007FF6CA730000-0x00007FF6CAA84000-memory.dmp	xmrig
behavioral2/files/0x00070000000233c5-49.dat	xmrig
behavioral2/memory/4280-48-0x00007FF77EEC0000-0x00007FF77F214000-memory.dmp	xmrig
behavioral2/memory/4816-39-0x00007FF649D90000-0x00007FF64A0E4000-memory.dmp	xmrig
behavioral2/memory/4272-20-0x00007FF788AA0000-0x00007FF788DF4000-memory.dmp	xmrig
behavioral2/memory/2396-14-0x00007FF65F900000-0x00007FF65FC54000-memory.dmp	xmrig
behavioral2/memory/4972-8-0x00007FF68C010000-0x00007FF68C364000-memory.dmp	xmrig
behavioral2/files/0x00070000000233c6-53.dat	xmrig
behavioral2/memory/1364-54-0x00007FF6D85E0000-0x00007FF6D8934000-memory.dmp	xmrig
behavioral2/files/0x00080000000233bc-60.dat	xmrig
behavioral2/files/0x00070000000233c9-77.dat	xmrig
behavioral2/memory/3576-83-0x00007FF7D2590000-0x00007FF7D28E4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233ce-99.dat	xmrig
behavioral2/files/0x00070000000233cf-103.dat	xmrig
behavioral2/memory/2196-113-0x00007FF64AE70000-0x00007FF64B1C4000-memory.dmp	xmrig
behavioral2/memory/1984-117-0x00007FF622F80000-0x00007FF6232D4000-memory.dmp	xmrig
behavioral2/memory/1388-116-0x00007FF62C560000-0x00007FF62C8B4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233d0-114.dat	xmrig
behavioral2/memory/3292-110-0x00007FF659C90000-0x00007FF659FE4000-memory.dmp	xmrig
behavioral2/memory/1976-106-0x00007FF6D2D10000-0x00007FF6D3064000-memory.dmp	xmrig
behavioral2/memory/2172-102-0x00007FF7D35A0000-0x00007FF7D38F4000-memory.dmp	xmrig
behavioral2/memory/536-98-0x00007FF7B4870000-0x00007FF7B4BC4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233cd-96.dat	xmrig
behavioral2/files/0x00070000000233cc-92.dat	xmrig
behavioral2/files/0x00070000000233cb-86.dat	xmrig
behavioral2/files/0x00070000000233ca-79.dat	xmrig
behavioral2/memory/1316-74-0x00007FF6BA560000-0x00007FF6BA8B4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233c8-73.dat	xmrig
behavioral2/memory/4860-69-0x00007FF676810000-0x00007FF676B64000-memory.dmp	xmrig
behavioral2/memory/4876-68-0x00007FF65DE10000-0x00007FF65E164000-memory.dmp	xmrig
behavioral2/files/0x00070000000233d1-120.dat	xmrig
behavioral2/files/0x00070000000233d2-122.dat	xmrig
behavioral2/memory/4668-128-0x00007FF7D83B0000-0x00007FF7D8704000-memory.dmp	xmrig
behavioral2/memory/2332-127-0x00007FF7B52D0000-0x00007FF7B5624000-memory.dmp	xmrig
behavioral2/memory/4280-129-0x00007FF77EEC0000-0x00007FF77F214000-memory.dmp	xmrig
behavioral2/memory/1364-130-0x00007FF6D85E0000-0x00007FF6D8934000-memory.dmp	xmrig
behavioral2/memory/4860-131-0x00007FF676810000-0x00007FF676B64000-memory.dmp	xmrig
behavioral2/memory/1316-132-0x00007FF6BA560000-0x00007FF6BA8B4000-memory.dmp	xmrig
behavioral2/memory/4972-133-0x00007FF68C010000-0x00007FF68C364000-memory.dmp	xmrig
behavioral2/memory/2396-134-0x00007FF65F900000-0x00007FF65FC54000-memory.dmp	xmrig
behavioral2/memory/4272-135-0x00007FF788AA0000-0x00007FF788DF4000-memory.dmp	xmrig
behavioral2/memory/1076-136-0x00007FF713530000-0x00007FF713884000-memory.dmp	xmrig
behavioral2/memory/988-138-0x00007FF6A5930000-0x00007FF6A5C84000-memory.dmp	xmrig
behavioral2/memory/4816-137-0x00007FF649D90000-0x00007FF64A0E4000-memory.dmp	xmrig
behavioral2/memory/3924-139-0x00007FF6CA730000-0x00007FF6CAA84000-memory.dmp	xmrig
behavioral2/memory/4280-140-0x00007FF77EEC0000-0x00007FF77F214000-memory.dmp	xmrig
behavioral2/memory/1364-141-0x00007FF6D85E0000-0x00007FF6D8934000-memory.dmp	xmrig
behavioral2/memory/4876-142-0x00007FF65DE10000-0x00007FF65E164000-memory.dmp	xmrig
behavioral2/memory/1316-143-0x00007FF6BA560000-0x00007FF6BA8B4000-memory.dmp	xmrig
behavioral2/memory/536-144-0x00007FF7B4870000-0x00007FF7B4BC4000-memory.dmp	xmrig
behavioral2/memory/4860-145-0x00007FF676810000-0x00007FF676B64000-memory.dmp	xmrig
behavioral2/memory/1976-148-0x00007FF6D2D10000-0x00007FF6D3064000-memory.dmp	xmrig
behavioral2/memory/2172-147-0x00007FF7D35A0000-0x00007FF7D38F4000-memory.dmp	xmrig
behavioral2/memory/3292-146-0x00007FF659C90000-0x00007FF659FE4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4972	KPqEkcz.exe
2396	RwVOymr.exe
4272	QgamQlY.exe
1076	TQIYDIt.exe
988	tzDlDEZ.exe
4816	LzrONRW.exe
3924	gKvGmKo.exe
4280	uipwkWW.exe
1364	KjDogmF.exe
4876	kPETFBn.exe
1316	tDjrGhb.exe
4860	xxSgpEB.exe
536	CaOehpP.exe
1976	vTgzjDd.exe
3292	ljaewEE.exe
2172	ZaplfLd.exe
2196	Qfgkbqg.exe
1388	QcOYBZh.exe
1984	XaOcPBl.exe
2332	EPnEGZm.exe
4668	GWOHIAg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3576-0-0x00007FF7D2590000-0x00007FF7D28E4000-memory.dmp	upx
behavioral2/files/0x00080000000233bb-4.dat	upx
behavioral2/files/0x00070000000233c0-10.dat	upx
behavioral2/files/0x00070000000233bf-11.dat	upx
behavioral2/files/0x00070000000233c1-24.dat	upx
behavioral2/memory/1076-28-0x00007FF713530000-0x00007FF713884000-memory.dmp	upx
behavioral2/files/0x00070000000233c3-35.dat	upx
behavioral2/files/0x00070000000233c2-33.dat	upx
behavioral2/memory/988-37-0x00007FF6A5930000-0x00007FF6A5C84000-memory.dmp	upx
behavioral2/files/0x00070000000233c4-42.dat	upx
behavioral2/memory/3924-47-0x00007FF6CA730000-0x00007FF6CAA84000-memory.dmp	upx
behavioral2/files/0x00070000000233c5-49.dat	upx
behavioral2/memory/4280-48-0x00007FF77EEC0000-0x00007FF77F214000-memory.dmp	upx
behavioral2/memory/4816-39-0x00007FF649D90000-0x00007FF64A0E4000-memory.dmp	upx
behavioral2/memory/4272-20-0x00007FF788AA0000-0x00007FF788DF4000-memory.dmp	upx
behavioral2/memory/2396-14-0x00007FF65F900000-0x00007FF65FC54000-memory.dmp	upx
behavioral2/memory/4972-8-0x00007FF68C010000-0x00007FF68C364000-memory.dmp	upx
behavioral2/files/0x00070000000233c6-53.dat	upx
behavioral2/memory/1364-54-0x00007FF6D85E0000-0x00007FF6D8934000-memory.dmp	upx
behavioral2/files/0x00080000000233bc-60.dat	upx
behavioral2/files/0x00070000000233c9-77.dat	upx
behavioral2/memory/3576-83-0x00007FF7D2590000-0x00007FF7D28E4000-memory.dmp	upx
behavioral2/files/0x00070000000233ce-99.dat	upx
behavioral2/files/0x00070000000233cf-103.dat	upx
behavioral2/memory/2196-113-0x00007FF64AE70000-0x00007FF64B1C4000-memory.dmp	upx
behavioral2/memory/1984-117-0x00007FF622F80000-0x00007FF6232D4000-memory.dmp	upx
behavioral2/memory/1388-116-0x00007FF62C560000-0x00007FF62C8B4000-memory.dmp	upx
behavioral2/files/0x00070000000233d0-114.dat	upx
behavioral2/memory/3292-110-0x00007FF659C90000-0x00007FF659FE4000-memory.dmp	upx
behavioral2/memory/1976-106-0x00007FF6D2D10000-0x00007FF6D3064000-memory.dmp	upx
behavioral2/memory/2172-102-0x00007FF7D35A0000-0x00007FF7D38F4000-memory.dmp	upx
behavioral2/memory/536-98-0x00007FF7B4870000-0x00007FF7B4BC4000-memory.dmp	upx
behavioral2/files/0x00070000000233cd-96.dat	upx
behavioral2/files/0x00070000000233cc-92.dat	upx
behavioral2/files/0x00070000000233cb-86.dat	upx
behavioral2/files/0x00070000000233ca-79.dat	upx
behavioral2/memory/1316-74-0x00007FF6BA560000-0x00007FF6BA8B4000-memory.dmp	upx
behavioral2/files/0x00070000000233c8-73.dat	upx
behavioral2/memory/4860-69-0x00007FF676810000-0x00007FF676B64000-memory.dmp	upx
behavioral2/memory/4876-68-0x00007FF65DE10000-0x00007FF65E164000-memory.dmp	upx
behavioral2/files/0x00070000000233d1-120.dat	upx
behavioral2/files/0x00070000000233d2-122.dat	upx
behavioral2/memory/4668-128-0x00007FF7D83B0000-0x00007FF7D8704000-memory.dmp	upx
behavioral2/memory/2332-127-0x00007FF7B52D0000-0x00007FF7B5624000-memory.dmp	upx
behavioral2/memory/4280-129-0x00007FF77EEC0000-0x00007FF77F214000-memory.dmp	upx
behavioral2/memory/1364-130-0x00007FF6D85E0000-0x00007FF6D8934000-memory.dmp	upx
behavioral2/memory/4860-131-0x00007FF676810000-0x00007FF676B64000-memory.dmp	upx
behavioral2/memory/1316-132-0x00007FF6BA560000-0x00007FF6BA8B4000-memory.dmp	upx
behavioral2/memory/4972-133-0x00007FF68C010000-0x00007FF68C364000-memory.dmp	upx
behavioral2/memory/2396-134-0x00007FF65F900000-0x00007FF65FC54000-memory.dmp	upx
behavioral2/memory/4272-135-0x00007FF788AA0000-0x00007FF788DF4000-memory.dmp	upx
behavioral2/memory/1076-136-0x00007FF713530000-0x00007FF713884000-memory.dmp	upx
behavioral2/memory/988-138-0x00007FF6A5930000-0x00007FF6A5C84000-memory.dmp	upx
behavioral2/memory/4816-137-0x00007FF649D90000-0x00007FF64A0E4000-memory.dmp	upx
behavioral2/memory/3924-139-0x00007FF6CA730000-0x00007FF6CAA84000-memory.dmp	upx
behavioral2/memory/4280-140-0x00007FF77EEC0000-0x00007FF77F214000-memory.dmp	upx
behavioral2/memory/1364-141-0x00007FF6D85E0000-0x00007FF6D8934000-memory.dmp	upx
behavioral2/memory/4876-142-0x00007FF65DE10000-0x00007FF65E164000-memory.dmp	upx
behavioral2/memory/1316-143-0x00007FF6BA560000-0x00007FF6BA8B4000-memory.dmp	upx
behavioral2/memory/536-144-0x00007FF7B4870000-0x00007FF7B4BC4000-memory.dmp	upx
behavioral2/memory/4860-145-0x00007FF676810000-0x00007FF676B64000-memory.dmp	upx
behavioral2/memory/1976-148-0x00007FF6D2D10000-0x00007FF6D3064000-memory.dmp	upx
behavioral2/memory/2172-147-0x00007FF7D35A0000-0x00007FF7D38F4000-memory.dmp	upx
behavioral2/memory/3292-146-0x00007FF659C90000-0x00007FF659FE4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\LzrONRW.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gKvGmKo.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vTgzjDd.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ljaewEE.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KPqEkcz.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tzDlDEZ.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tDjrGhb.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Qfgkbqg.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QcOYBZh.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XaOcPBl.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KjDogmF.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kPETFBn.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xxSgpEB.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CaOehpP.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZaplfLd.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GWOHIAg.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RwVOymr.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TQIYDIt.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EPnEGZm.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QgamQlY.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uipwkWW.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 4972	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	83
PID 3576 wrote to memory of 4972	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	83
PID 3576 wrote to memory of 2396	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	84
PID 3576 wrote to memory of 2396	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	84
PID 3576 wrote to memory of 4272	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	85
PID 3576 wrote to memory of 4272	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	85
PID 3576 wrote to memory of 1076	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	86
PID 3576 wrote to memory of 1076	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	86
PID 3576 wrote to memory of 988	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	87
PID 3576 wrote to memory of 988	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	87
PID 3576 wrote to memory of 4816	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	88
PID 3576 wrote to memory of 4816	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	88
PID 3576 wrote to memory of 3924	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	89
PID 3576 wrote to memory of 3924	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	89
PID 3576 wrote to memory of 4280	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	90
PID 3576 wrote to memory of 4280	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	90
PID 3576 wrote to memory of 1364	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	91
PID 3576 wrote to memory of 1364	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	91
PID 3576 wrote to memory of 4876	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	92
PID 3576 wrote to memory of 4876	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	92
PID 3576 wrote to memory of 1316	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	93
PID 3576 wrote to memory of 1316	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	93
PID 3576 wrote to memory of 4860	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	94
PID 3576 wrote to memory of 4860	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	94
PID 3576 wrote to memory of 536	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	95
PID 3576 wrote to memory of 536	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	95
PID 3576 wrote to memory of 1976	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	96
PID 3576 wrote to memory of 1976	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	96
PID 3576 wrote to memory of 3292	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	97
PID 3576 wrote to memory of 3292	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	97
PID 3576 wrote to memory of 2172	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	98
PID 3576 wrote to memory of 2172	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	98
PID 3576 wrote to memory of 2196	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	99
PID 3576 wrote to memory of 2196	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	99
PID 3576 wrote to memory of 1388	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	100
PID 3576 wrote to memory of 1388	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	100
PID 3576 wrote to memory of 1984	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	101
PID 3576 wrote to memory of 1984	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	101
PID 3576 wrote to memory of 2332	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	102
PID 3576 wrote to memory of 2332	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	102
PID 3576 wrote to memory of 4668	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	103
PID 3576 wrote to memory of 4668	3576	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\System\KPqEkcz.exe
  C:\Windows\System\KPqEkcz.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\RwVOymr.exe
  C:\Windows\System\RwVOymr.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\QgamQlY.exe
  C:\Windows\System\QgamQlY.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System\TQIYDIt.exe
  C:\Windows\System\TQIYDIt.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System\tzDlDEZ.exe
  C:\Windows\System\tzDlDEZ.exe
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\System\LzrONRW.exe
  C:\Windows\System\LzrONRW.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\gKvGmKo.exe
  C:\Windows\System\gKvGmKo.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\uipwkWW.exe
  C:\Windows\System\uipwkWW.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\KjDogmF.exe
  C:\Windows\System\KjDogmF.exe
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\System\kPETFBn.exe
  C:\Windows\System\kPETFBn.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\tDjrGhb.exe
  C:\Windows\System\tDjrGhb.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System\xxSgpEB.exe
  C:\Windows\System\xxSgpEB.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\CaOehpP.exe
  C:\Windows\System\CaOehpP.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\vTgzjDd.exe
  C:\Windows\System\vTgzjDd.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\ljaewEE.exe
  C:\Windows\System\ljaewEE.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System\ZaplfLd.exe
  C:\Windows\System\ZaplfLd.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\Qfgkbqg.exe
  C:\Windows\System\Qfgkbqg.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\QcOYBZh.exe
  C:\Windows\System\QcOYBZh.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\XaOcPBl.exe
  C:\Windows\System\XaOcPBl.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\EPnEGZm.exe
  C:\Windows\System\EPnEGZm.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\GWOHIAg.exe
  C:\Windows\System\GWOHIAg.exe
  2⤵
  - Executes dropped EXE
  PID:4668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CaOehpP.exe

Filesize
5.9MB

MD5
62866115ab67953129d2a435b23c5d5c

SHA1
d8a265a14a40634447eed2689b5295c03134787b

SHA256
f06aded6564cb1df026c4be40c3fb6beed1b2399691bc6277e62d34d4aa42b95

SHA512
1fdb664172bd389ecf5f26f3ce78261df532fee4cd074e527b6f173c2eb3c7a8d4fb46ccdc3c010cfbee13c417bcb2a0d860c82edd89f79e8a67a09e9b3ab655

Download Submit
C:\Windows\System\EPnEGZm.exe

Filesize
5.9MB

MD5
ca2e173ba43c7aa1ab2f1f1617329338

SHA1
1bd80d600386775f865c3f76aa30be901b7fa4eb

SHA256
d72510103fc048e12de4ada1a936156fdba90344299dfc5736ddedcc47fce19f

SHA512
c3ac8f79ead77b1dc52909c7d8439aaeac6c157784c7e769d8121cd38485de15d9a2292751fb26c786a884669b32ce23ee39c3210f0266a8a8ae496acbc70dd3

Download Submit
C:\Windows\System\GWOHIAg.exe

Filesize
5.9MB

MD5
9728e6a80f5961edfae545741dbf1f57

SHA1
2c2075d4abdf611795afa35178206d4de81038c9

SHA256
f0e8840c42553963f7f99199fb37b0edf0232820b8b5994353644201ba413cfe

SHA512
806e09a85cc80b405471d42ef29cdd0ad340aa42f12e45cf7a4f4d48d47b8fa1be0d2ebb5b6f6ef56522113ee07cc8f4bdf8c10103284a5b433cf4046b6e686d

Download Submit
C:\Windows\System\KPqEkcz.exe

Filesize
5.9MB

MD5
9fafccdbf958d14f9bb4a041990b6947

SHA1
d21ca18551678f1d0a9524e5767c60a1e92c41ed

SHA256
2204abb1e4a156e14b3c28215443181f1562e98aef52b60dd3d6e9cdb23c8ee0

SHA512
5e7130bed8f2fe685574b25c028b495d2e483230479190636c375d1773524d6bd7f63877b8ab1363cf406f7f6228d934716b4efe57cd8117650bc3c87af8bb71

Download Submit
C:\Windows\System\KjDogmF.exe

Filesize
5.9MB

MD5
b9b1c9ef505424f94c2556166a655784

SHA1
2db753f04f1e36f967a46f7ddcdb60665999448c

SHA256
126c951ef1ac46c41eb80739dffaafba8dd4cd064164834834578ced046bbdbd

SHA512
65490ff11bf13c8d93a3ba96fa0ba9681726cef7ceb0068afd2694be5502e6ee26ebb329509cab3616b3e8b08a01bdc2fab46d7df872fa9853d01779f985a9ff

Download Submit
C:\Windows\System\LzrONRW.exe

Filesize
5.9MB

MD5
cc692a20879cdb0c7039a6031c7f8eb0

SHA1
6968d58ba1bf985398b999a7b14637e08274a497

SHA256
e4bffc98a8e1daa0b20714bf64d580accd391ebc4c12332acb0e120316c1faa2

SHA512
5989f8d13f187ece77c91fd47e7e385f743e506991adbeb8c3e87e770ddebdcab6e2203acdc7c4ae713689fb906465313d64f9e694fa9516e2867b209a413af7

Download Submit
C:\Windows\System\QcOYBZh.exe

Filesize
5.9MB

MD5
88b7487e24336421090b96a9e5a5b0c3

SHA1
498a73c34780f15f06bcacbb4420a859130983ad

SHA256
3ba41c3cbf7fb9c8da70d34fed47c5247fa580d9f818c40bdefe746dfa64622a

SHA512
1ff8d80f35c05c3a80c22b68ae60b6e7f97677cb41981655828ad46e7b5800f9941235879287ecf67dd1c1c6c609da9863caf0d2efa09dd89816c886baef77f4

Download Submit
C:\Windows\System\Qfgkbqg.exe

Filesize
5.9MB

MD5
e61cedb1c1fe445ca5a579786b030bf5

SHA1
629e2998bc0575ee6570fd130c39fbdfcc35f5de

SHA256
3ef096b92fb04c672269beb7e22f452b9f40c84604ff697d51a6691a946319ce

SHA512
2fe9a0ea128f846241717b56549f9ed9947c926a93fee13ed058afbd62d1c34ff9ef76ecb424640c2b5fc9a4ea144fa84e1d2ceea7ff76cb10e4bc6a86de7b1e

Download Submit
C:\Windows\System\QgamQlY.exe

Filesize
5.9MB

MD5
b4fedce44ba708d338f32ae47d890574

SHA1
07a3e8a48665a0c3f5521e3caec345835b148a81

SHA256
55599d7c920f19e9415bf32f3189f616ad3956355222f3f20192ef60b8c1575f

SHA512
0826da4c06dae6e8c8d21d0f80bad778c5af22bcf558bd3aa9b899e6f02241cf90ce35c78d66cc832ff57cbfa7b2d2616b1d41e566b6ea30ffc24dc00e4657c5

Download Submit
C:\Windows\System\RwVOymr.exe

Filesize
5.9MB

MD5
295d3d5bfed0a54aa9942edf56ab2166

SHA1
83f91d7d00068a4367029028b96a10aff27ada87

SHA256
dfb09ec8d285b69d357f0361157b05ed2f0f3468ce43ba995f2498e1c169430f

SHA512
c918f87101316db251d481663050b0fca964c646ba6cde2182a3f7332a869d08f630f93548a387735b56a08c9247e22822f4694d6cb0a429eef7f94959b250e8

Download Submit
C:\Windows\System\TQIYDIt.exe

Filesize
5.9MB

MD5
977621c62d8c07bc765dda08d3f00364

SHA1
f39ffb073ddd7977421d905c1fb478dd09ab5e74

SHA256
8784893a5891a06c7eb923b4eab82ae8d55533051b23083eeec32bbed42407fa

SHA512
75995fa35d56c00f4b26d3c0ad2be851d82d71e0d438481df45830adc1f3c0c6fe649dbe9f0c2242b31f3987dc9d6d5c34d6a429fd05ca38ae644eedcda334e4

Download Submit
C:\Windows\System\XaOcPBl.exe

Filesize
5.9MB

MD5
afa459e687db3b8030dfec4e21547a8c

SHA1
30d21af10836bdecf88c69e076a1ee338268b32c

SHA256
6577813cac043b243936dab9351fc9e963ccb3e6782652ea2f6b01605e1b3c37

SHA512
a8823db220f817f94e72810b00489ef7070e6f9e7b3875339cc8eece4d56f8ee3f09a0c5985242ee2d40b0840743526c057304c38ed4756139d9b5191e271365

Download Submit
C:\Windows\System\ZaplfLd.exe

Filesize
5.9MB

MD5
962756ec8012e57a5af9b52f71a32b0a

SHA1
f90e5ad959a10ac5aee2e029ecc8c0bc9716b46f

SHA256
892b99a2e2cf143ab01a4d6574b8de0dc7850cef66b47f85ee9e0f0e469001b9

SHA512
b2a0882f388e5aa973a03dda167878018bb29ecc25864d6bf2c3802294d93216b4dd12eb735bc6b38c6a705f360cb66c9c058992438f7c98145abc2bdcbc74cf

Download Submit
C:\Windows\System\gKvGmKo.exe

Filesize
5.9MB

MD5
0b5d93484c5bd6920e737213c6bfbd1a

SHA1
990a6838781cc63fc9fe5aceea69cfce7a8515e9

SHA256
bce154aba5ee75f8b153ded1a54960c9f816e3d6ad4b4bd088230d65a4e29e2f

SHA512
dfc6b451ebb5a77053120db8b72e831e8b36e5ef197c0b28d9790070c4e01d6dfccc694da8404863642dc3548125559821f6233a8f528c1ab54ac0056ed845b7

Download Submit
C:\Windows\System\kPETFBn.exe

Filesize
5.9MB

MD5
d8539d98f1210eac07fb1dae214d43b7

SHA1
c5d95590ba22f59ad8d3f4419623f91eeaf5c909

SHA256
d192c188cc14def6a6caeb9a6b4a4c1f2caede6e10b6016e83734e6ab5fe2835

SHA512
2085b303e3829227c35ab402b524271e95884309423ab4f49e06408ab67ffcc815405cd9cf6ad405ab40701867d070b9a0abaad3fcd4856a39a9afe1d526451c

Download Submit
C:\Windows\System\ljaewEE.exe

Filesize
5.9MB

MD5
0bfa87daa8bc4f4eb5acf60659717353

SHA1
6c289b9ba1ee2f2add5d356f00b76f13eba15c3b

SHA256
b00b7d457b60bc19d0005a3fc955310b0f77aa724c2d3c5650c22c44b9ecbdc3

SHA512
accc0df8ef0c1652293236970197a39284ad7eca37b620fd2d0cd77bdaea169f7e4f25017d379a822231e3a8bb830582b9d650b6a35b04026a2bc6ac83ff47ff

Download Submit
C:\Windows\System\tDjrGhb.exe

Filesize
5.9MB

MD5
c543c52a69a4d722e6da6361ae8448c1

SHA1
5b31e5b1683d1377493eae69622a0dc2f32f6325

SHA256
db5f232420a5dcf5cbd80e772970a1f0ce9353b5ac8c4eee1ab0d7c04fa390df

SHA512
07e172cdd8e13c6dc2833bef1882fc51820337c4ef83e1ee90a2cdd2b1a2742c31bd2d67316f836e7b56f1129a85951b999ba7c7902c5b48f705621787cef8c3

Download Submit
C:\Windows\System\tzDlDEZ.exe

Filesize
5.9MB

MD5
18fac120638738e45d3e301ea35773f2

SHA1
b8f4562e265482a89c5f4cf47f888b4971618c76

SHA256
02bbf4cb04a9fd090a1901e768311ea7b338d12e2d4524324d9faa07a9ab7782

SHA512
be31bad5eaac74218d9015899b3f3a8c613659e7696653a6fbafbdcf57df14738310649ba8c405a9c65cb798b1433892b24314185d0ecf6d9afed6de329b52f6

Download Submit
C:\Windows\System\uipwkWW.exe

Filesize
5.9MB

MD5
14f1ad7bafd09993e87b854b0f8dcbdd

SHA1
4dbb1fd94740d39b0778be64b00ea897aa934f36

SHA256
2aa5fdc1edfcd3706fb166b94963e6bc7b279ae556437bb04fc233d6f14b28f6

SHA512
44ec3a006d8ed2ff4d49c2e691f718ab56368b15b228bc20580d93fd54539f3d55b046b3d296cea81bb660b6bfe378757535d4af43aa37ed6083dbfb849dd93d

Download Submit
C:\Windows\System\vTgzjDd.exe

Filesize
5.9MB

MD5
cdc73bd8ac190adfa1254be8faf5502e

SHA1
34b01ada9b3e2efe8ed0b83122d3c058416f23d8

SHA256
6d416deaf8de7344406754d913f9847ba62779b07a85b1ebf6395a7654a6dc86

SHA512
b576e46c1b2b19808a280d2332b07ebdf46f0f7236678756c8b5d8b56046d544d968b8b00b45a8fb398b29ad50d5315657947d9e604e5ed925c305fe368717bd

Download Submit
C:\Windows\System\xxSgpEB.exe

Filesize
5.9MB

MD5
0ea8e6c17da9fcb9bcb34e7c092d6a80

SHA1
b45b41d95c82bfa937dd7618ee380298f6fee05c

SHA256
c8bbc410644766fd5ad2c744ef3dd6e8baf04c31dd515461e40b8b4a0d15cea5

SHA512
95ef140d93c267f54feebdc770cdb04c28b791c3dd229a73508c14e813dc85f5ed14dc9ce91dcc2194eeeeaea0fb1515df9ee883efad10cb37b520345132434c

Download Submit
memory/536-144-0x00007FF7B4870000-0x00007FF7B4BC4000-memory.dmp

Filesize
3.3MB

Download
memory/536-98-0x00007FF7B4870000-0x00007FF7B4BC4000-memory.dmp

Filesize
3.3MB

Download
memory/988-138-0x00007FF6A5930000-0x00007FF6A5C84000-memory.dmp

Filesize
3.3MB

Download
memory/988-37-0x00007FF6A5930000-0x00007FF6A5C84000-memory.dmp

Filesize
3.3MB

Download
memory/1076-136-0x00007FF713530000-0x00007FF713884000-memory.dmp

Filesize
3.3MB

Download
memory/1076-28-0x00007FF713530000-0x00007FF713884000-memory.dmp

Filesize
3.3MB

Download
memory/1316-143-0x00007FF6BA560000-0x00007FF6BA8B4000-memory.dmp

Filesize
3.3MB

Download
memory/1316-74-0x00007FF6BA560000-0x00007FF6BA8B4000-memory.dmp

Filesize
3.3MB

Download
memory/1316-132-0x00007FF6BA560000-0x00007FF6BA8B4000-memory.dmp

Filesize
3.3MB

Download
memory/1364-141-0x00007FF6D85E0000-0x00007FF6D8934000-memory.dmp

Filesize
3.3MB

Download
memory/1364-130-0x00007FF6D85E0000-0x00007FF6D8934000-memory.dmp

Filesize
3.3MB

Download
memory/1364-54-0x00007FF6D85E0000-0x00007FF6D8934000-memory.dmp

Filesize
3.3MB

Download
memory/1388-116-0x00007FF62C560000-0x00007FF62C8B4000-memory.dmp

Filesize
3.3MB

Download
memory/1388-150-0x00007FF62C560000-0x00007FF62C8B4000-memory.dmp

Filesize
3.3MB

Download
memory/1976-106-0x00007FF6D2D10000-0x00007FF6D3064000-memory.dmp

Filesize
3.3MB

Download
memory/1976-148-0x00007FF6D2D10000-0x00007FF6D3064000-memory.dmp

Filesize
3.3MB

Download
memory/1984-117-0x00007FF622F80000-0x00007FF6232D4000-memory.dmp

Filesize
3.3MB

Download
memory/1984-149-0x00007FF622F80000-0x00007FF6232D4000-memory.dmp

Filesize
3.3MB

Download
memory/2172-147-0x00007FF7D35A0000-0x00007FF7D38F4000-memory.dmp

Filesize
3.3MB

Download
memory/2172-102-0x00007FF7D35A0000-0x00007FF7D38F4000-memory.dmp

Filesize
3.3MB

Download
memory/2196-151-0x00007FF64AE70000-0x00007FF64B1C4000-memory.dmp

Filesize
3.3MB

Download
memory/2196-113-0x00007FF64AE70000-0x00007FF64B1C4000-memory.dmp

Filesize
3.3MB

Download
memory/2332-153-0x00007FF7B52D0000-0x00007FF7B5624000-memory.dmp

Filesize
3.3MB

Download
memory/2332-127-0x00007FF7B52D0000-0x00007FF7B5624000-memory.dmp

Filesize
3.3MB

Download
memory/2396-14-0x00007FF65F900000-0x00007FF65FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2396-134-0x00007FF65F900000-0x00007FF65FC54000-memory.dmp

Filesize
3.3MB

Download
memory/3292-110-0x00007FF659C90000-0x00007FF659FE4000-memory.dmp

Filesize
3.3MB

Download
memory/3292-146-0x00007FF659C90000-0x00007FF659FE4000-memory.dmp

Filesize
3.3MB

Download
memory/3576-1-0x0000029854AA0000-0x0000029854AB0000-memory.dmp

Filesize
64KB

Download
memory/3576-0-0x00007FF7D2590000-0x00007FF7D28E4000-memory.dmp

Filesize
3.3MB

Download
memory/3576-83-0x00007FF7D2590000-0x00007FF7D28E4000-memory.dmp

Filesize
3.3MB

Download
memory/3924-47-0x00007FF6CA730000-0x00007FF6CAA84000-memory.dmp

Filesize
3.3MB

Download
memory/3924-139-0x00007FF6CA730000-0x00007FF6CAA84000-memory.dmp

Filesize
3.3MB

Download
memory/4272-20-0x00007FF788AA0000-0x00007FF788DF4000-memory.dmp

Filesize
3.3MB

Download
memory/4272-135-0x00007FF788AA0000-0x00007FF788DF4000-memory.dmp

Filesize
3.3MB

Download
memory/4280-140-0x00007FF77EEC0000-0x00007FF77F214000-memory.dmp

Filesize
3.3MB

Download
memory/4280-48-0x00007FF77EEC0000-0x00007FF77F214000-memory.dmp

Filesize
3.3MB

Download
memory/4280-129-0x00007FF77EEC0000-0x00007FF77F214000-memory.dmp

Filesize
3.3MB

Download
memory/4668-152-0x00007FF7D83B0000-0x00007FF7D8704000-memory.dmp

Filesize
3.3MB

Download
memory/4668-128-0x00007FF7D83B0000-0x00007FF7D8704000-memory.dmp

Filesize
3.3MB

Download
memory/4816-137-0x00007FF649D90000-0x00007FF64A0E4000-memory.dmp

Filesize
3.3MB

Download
memory/4816-39-0x00007FF649D90000-0x00007FF64A0E4000-memory.dmp

Filesize
3.3MB

Download
memory/4860-69-0x00007FF676810000-0x00007FF676B64000-memory.dmp

Filesize
3.3MB

Download
memory/4860-145-0x00007FF676810000-0x00007FF676B64000-memory.dmp

Filesize
3.3MB

Download
memory/4860-131-0x00007FF676810000-0x00007FF676B64000-memory.dmp

Filesize
3.3MB

Download
memory/4876-68-0x00007FF65DE10000-0x00007FF65E164000-memory.dmp

Filesize
3.3MB

Download
memory/4876-142-0x00007FF65DE10000-0x00007FF65E164000-memory.dmp

Filesize
3.3MB

Download
memory/4972-8-0x00007FF68C010000-0x00007FF68C364000-memory.dmp

Filesize
3.3MB

Download
memory/4972-133-0x00007FF68C010000-0x00007FF68C364000-memory.dmp

Filesize
3.3MB

Download