cobaltstrike | 3e37e0761b25fffd306d2f1da6c5140f83b8364515c4cdb35ea5a3b3e0efffee

Analysis

max time kernel
138s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 19:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

043bca408cdb98403fa975a671ab594c
SHA1

cc36a0ef74d32dd5930a307cbe15c76b5f2ef99e
SHA256

3e37e0761b25fffd306d2f1da6c5140f83b8364515c4cdb35ea5a3b3e0efffee
SHA512

698ec5e3ecadc943e5d71a109cd99918b20c9f246dfe4c939282b90cbcecbd5ba97b3f48f093d01ce05656fd3987dadf5e2aa54257e69444c668d9ba8a811690
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUK:T+856utgpPF8u/7K

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023454-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-17.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-23.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-30.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023455-35.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-39.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-54.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-59.dat	cobalt_reflective_dll
behavioral2/files/0x000f000000023384-64.dat	cobalt_reflective_dll
behavioral2/files/0x000900000002338e-72.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023390-81.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023391-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023466-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023467-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-131.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023454-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023458-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023459-17.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002345a-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002345b-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023455-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002345d-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002345f-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002345e-51.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023460-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000f000000023384-64.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000900000002338e-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000a000000023390-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000a000000023391-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023461-93.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023462-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023463-108.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023466-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023467-127.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023464-113.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023468-131.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4964-0-0x00007FF7D5550000-0x00007FF7D58A4000-memory.dmp	UPX
behavioral2/files/0x0008000000023454-5.dat	UPX
behavioral2/memory/5084-8-0x00007FF68B350000-0x00007FF68B6A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023458-11.dat	UPX
behavioral2/memory/2480-12-0x00007FF763880000-0x00007FF763BD4000-memory.dmp	UPX
behavioral2/files/0x0007000000023459-17.dat	UPX
behavioral2/files/0x000700000002345a-23.dat	UPX
behavioral2/memory/4160-22-0x00007FF744810000-0x00007FF744B64000-memory.dmp	UPX
behavioral2/memory/3752-26-0x00007FF7FE600000-0x00007FF7FE954000-memory.dmp	UPX
behavioral2/files/0x000700000002345b-30.dat	UPX
behavioral2/memory/1940-31-0x00007FF76A100000-0x00007FF76A454000-memory.dmp	UPX
behavioral2/files/0x0008000000023455-35.dat	UPX
behavioral2/files/0x000700000002345d-39.dat	UPX
behavioral2/memory/3292-36-0x00007FF61A1E0000-0x00007FF61A534000-memory.dmp	UPX
behavioral2/memory/5108-47-0x00007FF7E2D40000-0x00007FF7E3094000-memory.dmp	UPX
behavioral2/memory/3952-50-0x00007FF7EA8B0000-0x00007FF7EAC04000-memory.dmp	UPX
behavioral2/files/0x000700000002345f-54.dat	UPX
behavioral2/files/0x000700000002345e-51.dat	UPX
behavioral2/memory/5032-56-0x00007FF79D450000-0x00007FF79D7A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023460-59.dat	UPX
behavioral2/memory/880-60-0x00007FF6117E0000-0x00007FF611B34000-memory.dmp	UPX
behavioral2/files/0x000f000000023384-64.dat	UPX
behavioral2/memory/4156-69-0x00007FF742B30000-0x00007FF742E84000-memory.dmp	UPX
behavioral2/memory/4964-68-0x00007FF7D5550000-0x00007FF7D58A4000-memory.dmp	UPX
behavioral2/files/0x000900000002338e-72.dat	UPX
behavioral2/memory/436-75-0x00007FF761C20000-0x00007FF761F74000-memory.dmp	UPX
behavioral2/memory/2480-79-0x00007FF763880000-0x00007FF763BD4000-memory.dmp	UPX
behavioral2/files/0x000a000000023390-81.dat	UPX
behavioral2/memory/2272-80-0x00007FF6D9B70000-0x00007FF6D9EC4000-memory.dmp	UPX
behavioral2/files/0x000a000000023391-85.dat	UPX
behavioral2/memory/4872-89-0x00007FF73D030000-0x00007FF73D384000-memory.dmp	UPX
behavioral2/memory/4160-88-0x00007FF744810000-0x00007FF744B64000-memory.dmp	UPX
behavioral2/files/0x0007000000023461-93.dat	UPX
behavioral2/files/0x0007000000023462-99.dat	UPX
behavioral2/memory/1940-102-0x00007FF76A100000-0x00007FF76A454000-memory.dmp	UPX
behavioral2/memory/1156-105-0x00007FF773720000-0x00007FF773A74000-memory.dmp	UPX
behavioral2/memory/4608-107-0x00007FF72F3E0000-0x00007FF72F734000-memory.dmp	UPX
behavioral2/files/0x0007000000023463-108.dat	UPX
behavioral2/memory/3292-106-0x00007FF61A1E0000-0x00007FF61A534000-memory.dmp	UPX
behavioral2/memory/4412-97-0x00007FF7CF570000-0x00007FF7CF8C4000-memory.dmp	UPX
behavioral2/memory/3952-114-0x00007FF7EA8B0000-0x00007FF7EAC04000-memory.dmp	UPX
behavioral2/memory/4488-118-0x00007FF7B8A10000-0x00007FF7B8D64000-memory.dmp	UPX
behavioral2/files/0x0007000000023466-117.dat	UPX
behavioral2/memory/880-126-0x00007FF6117E0000-0x00007FF611B34000-memory.dmp	UPX
behavioral2/files/0x0007000000023467-127.dat	UPX
behavioral2/memory/1744-129-0x00007FF66FAF0000-0x00007FF66FE44000-memory.dmp	UPX
behavioral2/memory/3980-120-0x00007FF682630000-0x00007FF682984000-memory.dmp	UPX
behavioral2/files/0x0007000000023464-113.dat	UPX
behavioral2/files/0x0007000000023468-131.dat	UPX
behavioral2/memory/1108-134-0x00007FF620460000-0x00007FF6207B4000-memory.dmp	UPX
behavioral2/memory/2272-135-0x00007FF6D9B70000-0x00007FF6D9EC4000-memory.dmp	UPX
behavioral2/memory/4608-136-0x00007FF72F3E0000-0x00007FF72F734000-memory.dmp	UPX
behavioral2/memory/4488-137-0x00007FF7B8A10000-0x00007FF7B8D64000-memory.dmp	UPX
behavioral2/memory/3980-138-0x00007FF682630000-0x00007FF682984000-memory.dmp	UPX
behavioral2/memory/1744-139-0x00007FF66FAF0000-0x00007FF66FE44000-memory.dmp	UPX
behavioral2/memory/5084-140-0x00007FF68B350000-0x00007FF68B6A4000-memory.dmp	UPX
behavioral2/memory/2480-141-0x00007FF763880000-0x00007FF763BD4000-memory.dmp	UPX
behavioral2/memory/4160-142-0x00007FF744810000-0x00007FF744B64000-memory.dmp	UPX
behavioral2/memory/3752-143-0x00007FF7FE600000-0x00007FF7FE954000-memory.dmp	UPX
behavioral2/memory/1940-144-0x00007FF76A100000-0x00007FF76A454000-memory.dmp	UPX
behavioral2/memory/5108-145-0x00007FF7E2D40000-0x00007FF7E3094000-memory.dmp	UPX
behavioral2/memory/3292-146-0x00007FF61A1E0000-0x00007FF61A534000-memory.dmp	UPX
behavioral2/memory/3952-147-0x00007FF7EA8B0000-0x00007FF7EAC04000-memory.dmp	UPX
behavioral2/memory/5032-148-0x00007FF79D450000-0x00007FF79D7A4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4964-0-0x00007FF7D5550000-0x00007FF7D58A4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023454-5.dat	xmrig
behavioral2/memory/5084-8-0x00007FF68B350000-0x00007FF68B6A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023458-11.dat	xmrig
behavioral2/memory/2480-12-0x00007FF763880000-0x00007FF763BD4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023459-17.dat	xmrig
behavioral2/files/0x000700000002345a-23.dat	xmrig
behavioral2/memory/4160-22-0x00007FF744810000-0x00007FF744B64000-memory.dmp	xmrig
behavioral2/memory/3752-26-0x00007FF7FE600000-0x00007FF7FE954000-memory.dmp	xmrig
behavioral2/files/0x000700000002345b-30.dat	xmrig
behavioral2/memory/1940-31-0x00007FF76A100000-0x00007FF76A454000-memory.dmp	xmrig
behavioral2/files/0x0008000000023455-35.dat	xmrig
behavioral2/files/0x000700000002345d-39.dat	xmrig
behavioral2/memory/3292-36-0x00007FF61A1E0000-0x00007FF61A534000-memory.dmp	xmrig
behavioral2/memory/5108-47-0x00007FF7E2D40000-0x00007FF7E3094000-memory.dmp	xmrig
behavioral2/memory/3952-50-0x00007FF7EA8B0000-0x00007FF7EAC04000-memory.dmp	xmrig
behavioral2/files/0x000700000002345f-54.dat	xmrig
behavioral2/files/0x000700000002345e-51.dat	xmrig
behavioral2/memory/5032-56-0x00007FF79D450000-0x00007FF79D7A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023460-59.dat	xmrig
behavioral2/memory/880-60-0x00007FF6117E0000-0x00007FF611B34000-memory.dmp	xmrig
behavioral2/files/0x000f000000023384-64.dat	xmrig
behavioral2/memory/4156-69-0x00007FF742B30000-0x00007FF742E84000-memory.dmp	xmrig
behavioral2/memory/4964-68-0x00007FF7D5550000-0x00007FF7D58A4000-memory.dmp	xmrig
behavioral2/files/0x000900000002338e-72.dat	xmrig
behavioral2/memory/436-75-0x00007FF761C20000-0x00007FF761F74000-memory.dmp	xmrig
behavioral2/memory/2480-79-0x00007FF763880000-0x00007FF763BD4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023390-81.dat	xmrig
behavioral2/memory/2272-80-0x00007FF6D9B70000-0x00007FF6D9EC4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023391-85.dat	xmrig
behavioral2/memory/4872-89-0x00007FF73D030000-0x00007FF73D384000-memory.dmp	xmrig
behavioral2/memory/4160-88-0x00007FF744810000-0x00007FF744B64000-memory.dmp	xmrig
behavioral2/files/0x0007000000023461-93.dat	xmrig
behavioral2/files/0x0007000000023462-99.dat	xmrig
behavioral2/memory/1940-102-0x00007FF76A100000-0x00007FF76A454000-memory.dmp	xmrig
behavioral2/memory/1156-105-0x00007FF773720000-0x00007FF773A74000-memory.dmp	xmrig
behavioral2/memory/4608-107-0x00007FF72F3E0000-0x00007FF72F734000-memory.dmp	xmrig
behavioral2/files/0x0007000000023463-108.dat	xmrig
behavioral2/memory/3292-106-0x00007FF61A1E0000-0x00007FF61A534000-memory.dmp	xmrig
behavioral2/memory/4412-97-0x00007FF7CF570000-0x00007FF7CF8C4000-memory.dmp	xmrig
behavioral2/memory/3952-114-0x00007FF7EA8B0000-0x00007FF7EAC04000-memory.dmp	xmrig
behavioral2/memory/4488-118-0x00007FF7B8A10000-0x00007FF7B8D64000-memory.dmp	xmrig
behavioral2/files/0x0007000000023466-117.dat	xmrig
behavioral2/memory/880-126-0x00007FF6117E0000-0x00007FF611B34000-memory.dmp	xmrig
behavioral2/files/0x0007000000023467-127.dat	xmrig
behavioral2/memory/1744-129-0x00007FF66FAF0000-0x00007FF66FE44000-memory.dmp	xmrig
behavioral2/memory/3980-120-0x00007FF682630000-0x00007FF682984000-memory.dmp	xmrig
behavioral2/files/0x0007000000023464-113.dat	xmrig
behavioral2/files/0x0007000000023468-131.dat	xmrig
behavioral2/memory/1108-134-0x00007FF620460000-0x00007FF6207B4000-memory.dmp	xmrig
behavioral2/memory/2272-135-0x00007FF6D9B70000-0x00007FF6D9EC4000-memory.dmp	xmrig
behavioral2/memory/4608-136-0x00007FF72F3E0000-0x00007FF72F734000-memory.dmp	xmrig
behavioral2/memory/4488-137-0x00007FF7B8A10000-0x00007FF7B8D64000-memory.dmp	xmrig
behavioral2/memory/3980-138-0x00007FF682630000-0x00007FF682984000-memory.dmp	xmrig
behavioral2/memory/1744-139-0x00007FF66FAF0000-0x00007FF66FE44000-memory.dmp	xmrig
behavioral2/memory/5084-140-0x00007FF68B350000-0x00007FF68B6A4000-memory.dmp	xmrig
behavioral2/memory/2480-141-0x00007FF763880000-0x00007FF763BD4000-memory.dmp	xmrig
behavioral2/memory/4160-142-0x00007FF744810000-0x00007FF744B64000-memory.dmp	xmrig
behavioral2/memory/3752-143-0x00007FF7FE600000-0x00007FF7FE954000-memory.dmp	xmrig
behavioral2/memory/1940-144-0x00007FF76A100000-0x00007FF76A454000-memory.dmp	xmrig
behavioral2/memory/5108-145-0x00007FF7E2D40000-0x00007FF7E3094000-memory.dmp	xmrig
behavioral2/memory/3292-146-0x00007FF61A1E0000-0x00007FF61A534000-memory.dmp	xmrig
behavioral2/memory/3952-147-0x00007FF7EA8B0000-0x00007FF7EAC04000-memory.dmp	xmrig
behavioral2/memory/5032-148-0x00007FF79D450000-0x00007FF79D7A4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5084	weWxArS.exe
2480	XxslqBI.exe
4160	MgEaNKJ.exe
3752	NqFLXeH.exe
1940	JlIBadd.exe
3292	dSLdkFD.exe
5108	RAaDuSF.exe
3952	sJkjFTD.exe
5032	RwfvmWN.exe
880	uXxdTFX.exe
4156	joASnLe.exe
436	tKRjYkm.exe
2272	RxrIFqO.exe
4872	HGIrOil.exe
4412	LTOHROv.exe
1156	SRbGKsp.exe
4608	tBHXodw.exe
4488	BwdIzax.exe
3980	eywktWj.exe
1744	xBBvHQa.exe
1108	ntEkBXl.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4964-0-0x00007FF7D5550000-0x00007FF7D58A4000-memory.dmp	upx
behavioral2/files/0x0008000000023454-5.dat	upx
behavioral2/memory/5084-8-0x00007FF68B350000-0x00007FF68B6A4000-memory.dmp	upx
behavioral2/files/0x0007000000023458-11.dat	upx
behavioral2/memory/2480-12-0x00007FF763880000-0x00007FF763BD4000-memory.dmp	upx
behavioral2/files/0x0007000000023459-17.dat	upx
behavioral2/files/0x000700000002345a-23.dat	upx
behavioral2/memory/4160-22-0x00007FF744810000-0x00007FF744B64000-memory.dmp	upx
behavioral2/memory/3752-26-0x00007FF7FE600000-0x00007FF7FE954000-memory.dmp	upx
behavioral2/files/0x000700000002345b-30.dat	upx
behavioral2/memory/1940-31-0x00007FF76A100000-0x00007FF76A454000-memory.dmp	upx
behavioral2/files/0x0008000000023455-35.dat	upx
behavioral2/files/0x000700000002345d-39.dat	upx
behavioral2/memory/3292-36-0x00007FF61A1E0000-0x00007FF61A534000-memory.dmp	upx
behavioral2/memory/5108-47-0x00007FF7E2D40000-0x00007FF7E3094000-memory.dmp	upx
behavioral2/memory/3952-50-0x00007FF7EA8B0000-0x00007FF7EAC04000-memory.dmp	upx
behavioral2/files/0x000700000002345f-54.dat	upx
behavioral2/files/0x000700000002345e-51.dat	upx
behavioral2/memory/5032-56-0x00007FF79D450000-0x00007FF79D7A4000-memory.dmp	upx
behavioral2/files/0x0007000000023460-59.dat	upx
behavioral2/memory/880-60-0x00007FF6117E0000-0x00007FF611B34000-memory.dmp	upx
behavioral2/files/0x000f000000023384-64.dat	upx
behavioral2/memory/4156-69-0x00007FF742B30000-0x00007FF742E84000-memory.dmp	upx
behavioral2/memory/4964-68-0x00007FF7D5550000-0x00007FF7D58A4000-memory.dmp	upx
behavioral2/files/0x000900000002338e-72.dat	upx
behavioral2/memory/436-75-0x00007FF761C20000-0x00007FF761F74000-memory.dmp	upx
behavioral2/memory/2480-79-0x00007FF763880000-0x00007FF763BD4000-memory.dmp	upx
behavioral2/files/0x000a000000023390-81.dat	upx
behavioral2/memory/2272-80-0x00007FF6D9B70000-0x00007FF6D9EC4000-memory.dmp	upx
behavioral2/files/0x000a000000023391-85.dat	upx
behavioral2/memory/4872-89-0x00007FF73D030000-0x00007FF73D384000-memory.dmp	upx
behavioral2/memory/4160-88-0x00007FF744810000-0x00007FF744B64000-memory.dmp	upx
behavioral2/files/0x0007000000023461-93.dat	upx
behavioral2/files/0x0007000000023462-99.dat	upx
behavioral2/memory/1940-102-0x00007FF76A100000-0x00007FF76A454000-memory.dmp	upx
behavioral2/memory/1156-105-0x00007FF773720000-0x00007FF773A74000-memory.dmp	upx
behavioral2/memory/4608-107-0x00007FF72F3E0000-0x00007FF72F734000-memory.dmp	upx
behavioral2/files/0x0007000000023463-108.dat	upx
behavioral2/memory/3292-106-0x00007FF61A1E0000-0x00007FF61A534000-memory.dmp	upx
behavioral2/memory/4412-97-0x00007FF7CF570000-0x00007FF7CF8C4000-memory.dmp	upx
behavioral2/memory/3952-114-0x00007FF7EA8B0000-0x00007FF7EAC04000-memory.dmp	upx
behavioral2/memory/4488-118-0x00007FF7B8A10000-0x00007FF7B8D64000-memory.dmp	upx
behavioral2/files/0x0007000000023466-117.dat	upx
behavioral2/memory/880-126-0x00007FF6117E0000-0x00007FF611B34000-memory.dmp	upx
behavioral2/files/0x0007000000023467-127.dat	upx
behavioral2/memory/1744-129-0x00007FF66FAF0000-0x00007FF66FE44000-memory.dmp	upx
behavioral2/memory/3980-120-0x00007FF682630000-0x00007FF682984000-memory.dmp	upx
behavioral2/files/0x0007000000023464-113.dat	upx
behavioral2/files/0x0007000000023468-131.dat	upx
behavioral2/memory/1108-134-0x00007FF620460000-0x00007FF6207B4000-memory.dmp	upx
behavioral2/memory/2272-135-0x00007FF6D9B70000-0x00007FF6D9EC4000-memory.dmp	upx
behavioral2/memory/4608-136-0x00007FF72F3E0000-0x00007FF72F734000-memory.dmp	upx
behavioral2/memory/4488-137-0x00007FF7B8A10000-0x00007FF7B8D64000-memory.dmp	upx
behavioral2/memory/3980-138-0x00007FF682630000-0x00007FF682984000-memory.dmp	upx
behavioral2/memory/1744-139-0x00007FF66FAF0000-0x00007FF66FE44000-memory.dmp	upx
behavioral2/memory/5084-140-0x00007FF68B350000-0x00007FF68B6A4000-memory.dmp	upx
behavioral2/memory/2480-141-0x00007FF763880000-0x00007FF763BD4000-memory.dmp	upx
behavioral2/memory/4160-142-0x00007FF744810000-0x00007FF744B64000-memory.dmp	upx
behavioral2/memory/3752-143-0x00007FF7FE600000-0x00007FF7FE954000-memory.dmp	upx
behavioral2/memory/1940-144-0x00007FF76A100000-0x00007FF76A454000-memory.dmp	upx
behavioral2/memory/5108-145-0x00007FF7E2D40000-0x00007FF7E3094000-memory.dmp	upx
behavioral2/memory/3292-146-0x00007FF61A1E0000-0x00007FF61A534000-memory.dmp	upx
behavioral2/memory/3952-147-0x00007FF7EA8B0000-0x00007FF7EAC04000-memory.dmp	upx
behavioral2/memory/5032-148-0x00007FF79D450000-0x00007FF79D7A4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\SRbGKsp.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HGIrOil.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LTOHROv.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dSLdkFD.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sJkjFTD.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RwfvmWN.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uXxdTFX.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\joASnLe.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tKRjYkm.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XxslqBI.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NqFLXeH.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ntEkBXl.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RxrIFqO.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tBHXodw.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RAaDuSF.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BwdIzax.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eywktWj.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xBBvHQa.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MgEaNKJ.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JlIBadd.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\weWxArS.exe	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 5084	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	85
PID 4964 wrote to memory of 5084	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	85
PID 4964 wrote to memory of 2480	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	86
PID 4964 wrote to memory of 2480	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	86
PID 4964 wrote to memory of 4160	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	87
PID 4964 wrote to memory of 4160	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	87
PID 4964 wrote to memory of 3752	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	88
PID 4964 wrote to memory of 3752	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	88
PID 4964 wrote to memory of 1940	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	89
PID 4964 wrote to memory of 1940	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	89
PID 4964 wrote to memory of 3292	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	90
PID 4964 wrote to memory of 3292	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	90
PID 4964 wrote to memory of 5108	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	93
PID 4964 wrote to memory of 5108	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	93
PID 4964 wrote to memory of 3952	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	94
PID 4964 wrote to memory of 3952	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	94
PID 4964 wrote to memory of 5032	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	96
PID 4964 wrote to memory of 5032	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	96
PID 4964 wrote to memory of 880	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	97
PID 4964 wrote to memory of 880	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	97
PID 4964 wrote to memory of 4156	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	98
PID 4964 wrote to memory of 4156	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	98
PID 4964 wrote to memory of 436	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	99
PID 4964 wrote to memory of 436	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	99
PID 4964 wrote to memory of 2272	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	100
PID 4964 wrote to memory of 2272	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	100
PID 4964 wrote to memory of 4872	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	101
PID 4964 wrote to memory of 4872	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	101
PID 4964 wrote to memory of 4412	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	104
PID 4964 wrote to memory of 4412	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	104
PID 4964 wrote to memory of 1156	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	105
PID 4964 wrote to memory of 1156	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	105
PID 4964 wrote to memory of 4608	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	106
PID 4964 wrote to memory of 4608	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	106
PID 4964 wrote to memory of 4488	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	107
PID 4964 wrote to memory of 4488	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	107
PID 4964 wrote to memory of 3980	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	109
PID 4964 wrote to memory of 3980	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	109
PID 4964 wrote to memory of 1744	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	111
PID 4964 wrote to memory of 1744	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	111
PID 4964 wrote to memory of 1108	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	112
PID 4964 wrote to memory of 1108	4964	2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_043bca408cdb98403fa975a671ab594c_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\System\weWxArS.exe
  C:\Windows\System\weWxArS.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\XxslqBI.exe
  C:\Windows\System\XxslqBI.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\MgEaNKJ.exe
  C:\Windows\System\MgEaNKJ.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System\NqFLXeH.exe
  C:\Windows\System\NqFLXeH.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System\JlIBadd.exe
  C:\Windows\System\JlIBadd.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\dSLdkFD.exe
  C:\Windows\System\dSLdkFD.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System\RAaDuSF.exe
  C:\Windows\System\RAaDuSF.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\sJkjFTD.exe
  C:\Windows\System\sJkjFTD.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\RwfvmWN.exe
  C:\Windows\System\RwfvmWN.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\uXxdTFX.exe
  C:\Windows\System\uXxdTFX.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System\joASnLe.exe
  C:\Windows\System\joASnLe.exe
  2⤵
  - Executes dropped EXE
  PID:4156
- C:\Windows\System\tKRjYkm.exe
  C:\Windows\System\tKRjYkm.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\RxrIFqO.exe
  C:\Windows\System\RxrIFqO.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\HGIrOil.exe
  C:\Windows\System\HGIrOil.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\LTOHROv.exe
  C:\Windows\System\LTOHROv.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\SRbGKsp.exe
  C:\Windows\System\SRbGKsp.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\tBHXodw.exe
  C:\Windows\System\tBHXodw.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\BwdIzax.exe
  C:\Windows\System\BwdIzax.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\eywktWj.exe
  C:\Windows\System\eywktWj.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\xBBvHQa.exe
  C:\Windows\System\xBBvHQa.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\ntEkBXl.exe
  C:\Windows\System\ntEkBXl.exe
  2⤵
  - Executes dropped EXE
  PID:1108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BwdIzax.exe

Filesize
5.9MB

MD5
5ba833cc4c30e62135a095dd93b9ba90

SHA1
3c523cc085af30945b5ef1851a246410655e8fda

SHA256
c9a21289219000ae42988bbcceb13daff695875bcf4a9f4546883065eab7a2b2

SHA512
a9557dc1d10065c6bd388faa05171af404b80e7a7ef44fce98d79145eae1f9c1b042c6aa1bd9949cce5911b3bd09c3c973d1253e0e12d3f244fff5b4001eea71

Download Submit
C:\Windows\System\HGIrOil.exe

Filesize
5.9MB

MD5
154cc1f8f559c63fd4bf44a6b7306598

SHA1
fdd0fac2b94e9cb5e6638a56c6f11a81fe2d8915

SHA256
3b4d9785b4cfca27170eea9bb4e4a898a5dccd45a20b7eb86d33afd0777009d5

SHA512
293af275ecaad80cab8cab5f7d7326387a228db695fdb08bde5ddc6248691cd620d46581b3f9e10ef10b937cfc1c22b7d4d20bfeade1d2eeded49458e5ad2d4d

Download Submit
C:\Windows\System\JlIBadd.exe

Filesize
5.9MB

MD5
ba5d3a4706a25097574c4880f4267926

SHA1
9533e8ced7abee3b512bf679ec0f4fc2a9108d13

SHA256
ce6b52d34d2c6883e8e249c889d4361fc98d25d0d25363de14403d9faa50e5b1

SHA512
9cf12a1919f01f168b6468a3fb47c8f47b1232f20ccc2e8266e6e98245c4a1d83a415eb1407075209ab003847b425c793265c5563367b9dfa18136f390f3161c

Download Submit
C:\Windows\System\LTOHROv.exe

Filesize
5.9MB

MD5
7e2ec4c023037bcd3886b30770d2484d

SHA1
81af9c24f67be1bdd485a953273539f4cdd8cc0a

SHA256
fb0c56bfacfa7ef3165a2819979a22e77aa169a7e3fa54c7afe5879bf9058ffd

SHA512
464d827437f881c11679b39ec34c3d91523eac529996f122c7456a4831b59dc7b0a33b5bdad30bdc8b966c65f6819c1affe4ad993f029827e0982f08e527d1dc

Download Submit
C:\Windows\System\MgEaNKJ.exe

Filesize
5.9MB

MD5
9a3c6551b0e0880d1000548dc0be3688

SHA1
fe669012b5c6f13c8852681e3317e5dba8d61202

SHA256
9f031e50ee1d98c1f6e77c0e60cabe49a092e484670b919b9162986f66ff0986

SHA512
c4825df47e182c85b04bb30cacfacdc6cdcdda5706fe4165ded78b386125b86f1cae81525fd34654730ac569ca7d1267b2b4badfa4c82cacb67a69f9579b53c3

Download Submit
C:\Windows\System\NqFLXeH.exe

Filesize
5.9MB

MD5
b10a12c1b1578541a0056a15057dd8d6

SHA1
3b42ea886cf71e860069d458590cb3a09ae57eda

SHA256
efef225e820519fbdd69234fa3fc563059779c1b41c9ce8497374c81163e71b2

SHA512
93a39a4f55591a99416568c020d45857a2bdab5dd33cde49fde75cb5a4b8ea4edd25351ee12f3dc06fa28e2f1a9f8eb27911a93c25084eb15b2959ef04c4df66

Download Submit
C:\Windows\System\RAaDuSF.exe

Filesize
5.9MB

MD5
21156afcda38d5e844d058e4db86b475

SHA1
9b880b17786386bf3d7aca72407e6c4212cc5684

SHA256
3ce7ebfc5b43072e4b108af471dcd93b17688d0a8ea54f2d2cf63c714f703464

SHA512
0b8c7cfa34a4e734e55f2d533e52ec86d7157117e9bf84f38f2ff9d4b7872aaf885204b00bd9e03e4b5fc7931f652a88230d389f0dcda0e70016b9d577ce9846

Download Submit
C:\Windows\System\RwfvmWN.exe

Filesize
5.9MB

MD5
45259d2075a2b3361cfd75b6869bd197

SHA1
4ee6eb0083f7d569a96385e22306007354b24c6f

SHA256
b1e3cfcc6c276489852c26b9c4df00461c115a367f821a06dafbb00d69879bac

SHA512
7ca44498c5888613ca966306fd0b722e46e04f80d15005ae2934d07288223384ee6236a8925980c93a02e6332d85dcaf706ecfb37a3889e8a0a5a5dd34bacd0e

Download Submit
C:\Windows\System\RxrIFqO.exe

Filesize
5.9MB

MD5
380d8a884dad6ce7df305fc7e6e688ca

SHA1
bf9e765841820fd13661e695b1b5e97863753ca9

SHA256
e7ccff6f79c0daebba60c98ed189e03668446e2d6bbf75b3dd0ca985f8ecb3ee

SHA512
c5b263c91c41115e53536224aabb606710446fd4862e9269edc6fce375d04c602744e743a4b4c7a0eb8635266a6d4abc7658088130cb86a9c293e1918cb62160

Download Submit
C:\Windows\System\SRbGKsp.exe

Filesize
5.9MB

MD5
e441d7f1b8c75d19c50d528ace912e61

SHA1
71c2fc22803c2e3205875bbdbceb1d2458f698a2

SHA256
d5aedef31cb8d87d341ac36ee66f7c8a10d9f8d290d935232e6d083511c52af4

SHA512
2e610591d29e013caf9c6eb41288ae028b9aeb691a2e20ffc4484a7209d1b466c2fb8d43e938ff7b6f802c53c53ae4401022b2f66efbe1df790ac2e483076a28

Download Submit
C:\Windows\System\XxslqBI.exe

Filesize
5.9MB

MD5
5c26148e51fb1034f03a70016fcaeeb8

SHA1
1a83781e8d523f268b980e03eeec772ccdf01c86

SHA256
319fb456caa32ebd77dd60de185414a62868724be1790c66be65fe4d5578de6b

SHA512
32702ddc0019023b55eba6ca3ec45bfaca552a5ae449cb7a1515cf12ac665a7dfb424fb32b6f0e62ac60180a0ab4625eea3d12d31281c37be9f23432857630fb

Download Submit
C:\Windows\System\dSLdkFD.exe

Filesize
5.9MB

MD5
7b795c734b14bd0ffc87b7cebd2157e7

SHA1
41df36ea441badbdbf10bff05dd185dd2556b80c

SHA256
2a65234f6c488081f8ed67d4f417f7bf053b60e3ec0130cc601b09c4e9b529d9

SHA512
b418623edb92e28c91407f56c255ba546b5d46a8f3135d9732b4b697f016cccd3b255b2a13f979300d689c41f80cc1e4e322e8ed05e5e86c6d7fc1ef3e74b7b7

Download Submit
C:\Windows\System\eywktWj.exe

Filesize
5.9MB

MD5
1f6778a4a80f944c3a990e9fe026b45c

SHA1
a0ce20d466a3be6a6bb1424d2033fafbe278744a

SHA256
ff761667da9e37de712e2f7483f69498d1d224ff253b38325f7df6e98ecaf1f9

SHA512
60bd715fa8bba819d5f5a515d68c60a339872279a608066a94d1f3f1dfb04029e9fb108ba96f95be23d861563df05f6f175e1239847fe79d9e39c9f468a08a4c

Download Submit
C:\Windows\System\joASnLe.exe

Filesize
5.9MB

MD5
107c9f8835efe35c21948d50818cd14d

SHA1
13ef57215b6906ab58f255568a8fc37e899c1d12

SHA256
141de55f7765cf0754d0e1a27faea3966bafc45d5e7be4a9ec818025b3e6bbc6

SHA512
9a108087a06476497988121ee69139598d9c78d69a7e7af8072eb59536a62c68c56667bf5c5c859b23aee408cbb5433f49bd6478a83a49a36c84f97750ca9992

Download Submit
C:\Windows\System\ntEkBXl.exe

Filesize
5.9MB

MD5
e97c72c9a81b8d9147b06c7c2ef80348

SHA1
7863682be760544921a68e1793cc6f154d4bc28c

SHA256
de57ab1ac0c63eb016d414cee2afd8b9a92f508eefbd1bedf24311bd199733e4

SHA512
6278dc54cef9273f8bda78887c2958e22912a1df888f4c78a4229765e93497a1201544bad4774abcb83ab141c6c3abdf6b9eca61c12ea641f3ed8223e8b0d046

Download Submit
C:\Windows\System\sJkjFTD.exe

Filesize
5.9MB

MD5
da64396e4bdb6d0df416dd2bf3505281

SHA1
2bc227d318fcca782e649f5a9e9a12c09bc5091c

SHA256
0226434381f5f6fd6b69b7cb1ad824b477252a427ba1ed55e4c5c5749bea173e

SHA512
3f7953d5394526b0bc7461308b8dfbc1219c64389e07993b68f3b427b1a0c1597ad5ddd332bec4b30a05035632eed720b97a74312c879b9fdfd6d9fce2601bfe

Download Submit
C:\Windows\System\tBHXodw.exe

Filesize
5.9MB

MD5
b4a88f7cd0af45f47279edd6348b0365

SHA1
d5535c9c1532dd96ca5ef1d5d2d182ab40d39a41

SHA256
74ee59056ff6ffd260a5d0409ce0f4057bbe384c2b9dedf3d67b18fbbd26b7b0

SHA512
67b3385bd75c8f6befd2507dd1e3b271f62b7610cf95672fc523771e401cac27dcef6ec61a8e77f3ab177683d44577e82198e4136728ff842b9c7a8ecb832ac1

Download Submit
C:\Windows\System\tKRjYkm.exe

Filesize
5.9MB

MD5
1ac141f645200138cb27ab9795cf0d14

SHA1
c54d154247451b0747dd55155866309e2365c40b

SHA256
8cb9f29cd84b9c97d4341628a04d8bb65fab5f86245a62f3df4629dd4ff37b99

SHA512
3684678b4be52cbca2389ce25d924ac8f65884d0f63d6c747425ff27abbbed268541de475ca1fdbb2af27576e1f844dd75ff918c645a72b0a6fdaf90a199611d

Download Submit
C:\Windows\System\uXxdTFX.exe

Filesize
5.9MB

MD5
49d87797d49b152b25f3bc54a9d95d01

SHA1
5c89b296eb3b7ab1837f27115ea5f255100c2326

SHA256
330a8d5f271a1c5d851b2bfd41b53008f838429966873d281851a3a2adbf6c12

SHA512
73102e770072e882c93308680265de2cc2826aa62974457624b6c2e7e1c6548b33c2def2ddec78a89203f92973d18ee3dbd3c0e7d1e6b6d9f77a67ff581f9539

Download Submit
C:\Windows\System\weWxArS.exe

Filesize
5.9MB

MD5
f52fda74478810e2280a3e30962ed0cd

SHA1
81722a4397e6638fef40521bef78b8bf3748da5f

SHA256
d448832425c47390dad45f91b1091ff3ab4d01a3b26d49a01677c26b15e11c2a

SHA512
e6d29016b09a3a0e5164f8fd5a92ebdef4ac1e753082dbc641911c87c9d615e98c52f67dea21250073a4f5d70ef1c0f5d9b7b0c3a0ddecdf4d9b8f87359ef41a

Download Submit
C:\Windows\System\xBBvHQa.exe

Filesize
5.9MB

MD5
97acff96a7f56b979f0e75309991e4de

SHA1
ef28b6e37953d6e5f703c2afc7f515cfe54f3e9a

SHA256
24ccf1365b3e4b7755d91b6ae70e2862c703be5b337fe951d46ac6152750d803

SHA512
bffa9ca50420196e5d2d1ef7212e1113ec449b35fee64d9744012a400fd2f3b394e21273091d7cb15b4674b7ecfa06ab22bf3940a52c4ea9d074c3f5e4545089

Download Submit
memory/436-151-0x00007FF761C20000-0x00007FF761F74000-memory.dmp

Filesize
3.3MB

Download
memory/436-75-0x00007FF761C20000-0x00007FF761F74000-memory.dmp

Filesize
3.3MB

Download
memory/880-149-0x00007FF6117E0000-0x00007FF611B34000-memory.dmp

Filesize
3.3MB

Download
memory/880-126-0x00007FF6117E0000-0x00007FF611B34000-memory.dmp

Filesize
3.3MB

Download
memory/880-60-0x00007FF6117E0000-0x00007FF611B34000-memory.dmp

Filesize
3.3MB

Download
memory/1108-134-0x00007FF620460000-0x00007FF6207B4000-memory.dmp

Filesize
3.3MB

Download
memory/1108-160-0x00007FF620460000-0x00007FF6207B4000-memory.dmp

Filesize
3.3MB

Download
memory/1156-105-0x00007FF773720000-0x00007FF773A74000-memory.dmp

Filesize
3.3MB

Download
memory/1156-155-0x00007FF773720000-0x00007FF773A74000-memory.dmp

Filesize
3.3MB

Download
memory/1744-129-0x00007FF66FAF0000-0x00007FF66FE44000-memory.dmp

Filesize
3.3MB

Download
memory/1744-139-0x00007FF66FAF0000-0x00007FF66FE44000-memory.dmp

Filesize
3.3MB

Download
memory/1744-159-0x00007FF66FAF0000-0x00007FF66FE44000-memory.dmp

Filesize
3.3MB

Download
memory/1940-102-0x00007FF76A100000-0x00007FF76A454000-memory.dmp

Filesize
3.3MB

Download
memory/1940-31-0x00007FF76A100000-0x00007FF76A454000-memory.dmp

Filesize
3.3MB

Download
memory/1940-144-0x00007FF76A100000-0x00007FF76A454000-memory.dmp

Filesize
3.3MB

Download
memory/2272-152-0x00007FF6D9B70000-0x00007FF6D9EC4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-80-0x00007FF6D9B70000-0x00007FF6D9EC4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-135-0x00007FF6D9B70000-0x00007FF6D9EC4000-memory.dmp

Filesize
3.3MB

Download
memory/2480-141-0x00007FF763880000-0x00007FF763BD4000-memory.dmp

Filesize
3.3MB

Download
memory/2480-12-0x00007FF763880000-0x00007FF763BD4000-memory.dmp

Filesize
3.3MB

Download
memory/2480-79-0x00007FF763880000-0x00007FF763BD4000-memory.dmp

Filesize
3.3MB

Download
memory/3292-106-0x00007FF61A1E0000-0x00007FF61A534000-memory.dmp

Filesize
3.3MB

Download
memory/3292-146-0x00007FF61A1E0000-0x00007FF61A534000-memory.dmp

Filesize
3.3MB

Download
memory/3292-36-0x00007FF61A1E0000-0x00007FF61A534000-memory.dmp

Filesize
3.3MB

Download
memory/3752-143-0x00007FF7FE600000-0x00007FF7FE954000-memory.dmp

Filesize
3.3MB

Download
memory/3752-26-0x00007FF7FE600000-0x00007FF7FE954000-memory.dmp

Filesize
3.3MB

Download
memory/3952-114-0x00007FF7EA8B0000-0x00007FF7EAC04000-memory.dmp

Filesize
3.3MB

Download
memory/3952-147-0x00007FF7EA8B0000-0x00007FF7EAC04000-memory.dmp

Filesize
3.3MB

Download
memory/3952-50-0x00007FF7EA8B0000-0x00007FF7EAC04000-memory.dmp

Filesize
3.3MB

Download
memory/3980-120-0x00007FF682630000-0x00007FF682984000-memory.dmp

Filesize
3.3MB

Download
memory/3980-158-0x00007FF682630000-0x00007FF682984000-memory.dmp

Filesize
3.3MB

Download
memory/3980-138-0x00007FF682630000-0x00007FF682984000-memory.dmp

Filesize
3.3MB

Download
memory/4156-150-0x00007FF742B30000-0x00007FF742E84000-memory.dmp

Filesize
3.3MB

Download
memory/4156-69-0x00007FF742B30000-0x00007FF742E84000-memory.dmp

Filesize
3.3MB

Download
memory/4160-142-0x00007FF744810000-0x00007FF744B64000-memory.dmp

Filesize
3.3MB

Download
memory/4160-88-0x00007FF744810000-0x00007FF744B64000-memory.dmp

Filesize
3.3MB

Download
memory/4160-22-0x00007FF744810000-0x00007FF744B64000-memory.dmp

Filesize
3.3MB

Download
memory/4412-97-0x00007FF7CF570000-0x00007FF7CF8C4000-memory.dmp

Filesize
3.3MB

Download
memory/4412-154-0x00007FF7CF570000-0x00007FF7CF8C4000-memory.dmp

Filesize
3.3MB

Download
memory/4488-118-0x00007FF7B8A10000-0x00007FF7B8D64000-memory.dmp

Filesize
3.3MB

Download
memory/4488-137-0x00007FF7B8A10000-0x00007FF7B8D64000-memory.dmp

Filesize
3.3MB

Download
memory/4488-157-0x00007FF7B8A10000-0x00007FF7B8D64000-memory.dmp

Filesize
3.3MB

Download
memory/4608-136-0x00007FF72F3E0000-0x00007FF72F734000-memory.dmp

Filesize
3.3MB

Download
memory/4608-107-0x00007FF72F3E0000-0x00007FF72F734000-memory.dmp

Filesize
3.3MB

Download
memory/4608-156-0x00007FF72F3E0000-0x00007FF72F734000-memory.dmp

Filesize
3.3MB

Download
memory/4872-89-0x00007FF73D030000-0x00007FF73D384000-memory.dmp

Filesize
3.3MB

Download
memory/4872-153-0x00007FF73D030000-0x00007FF73D384000-memory.dmp

Filesize
3.3MB

Download
memory/4964-68-0x00007FF7D5550000-0x00007FF7D58A4000-memory.dmp

Filesize
3.3MB

Download
memory/4964-0-0x00007FF7D5550000-0x00007FF7D58A4000-memory.dmp

Filesize
3.3MB

Download
memory/4964-1-0x000001A2FFEC0000-0x000001A2FFED0000-memory.dmp

Filesize
64KB

Download
memory/5032-148-0x00007FF79D450000-0x00007FF79D7A4000-memory.dmp

Filesize
3.3MB

Download
memory/5032-56-0x00007FF79D450000-0x00007FF79D7A4000-memory.dmp

Filesize
3.3MB

Download
memory/5084-140-0x00007FF68B350000-0x00007FF68B6A4000-memory.dmp

Filesize
3.3MB

Download
memory/5084-8-0x00007FF68B350000-0x00007FF68B6A4000-memory.dmp

Filesize
3.3MB

Download
memory/5108-145-0x00007FF7E2D40000-0x00007FF7E3094000-memory.dmp

Filesize
3.3MB

Download
memory/5108-47-0x00007FF7E2D40000-0x00007FF7E3094000-memory.dmp

Filesize
3.3MB

Download