cobaltstrike | 49478df49e6ad4944cc4533c57126f11b0c1896ab88f4b392a71093144ea5055

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 19:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

59681e401cfb14358033737e53bf3a8d
SHA1

deafac6511fa3ff18c41c81a29dea8306e60e3e0
SHA256

49478df49e6ad4944cc4533c57126f11b0c1896ab88f4b392a71093144ea5055
SHA512

8efc8b68ab3343346890af86f5359bfecfb173cf31d83693b7efa8ee359a140c58c8092a7bd83c0dd24352aea53fb557030d5093db2a191deffe62531d8307eb
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU4:Q+856utgpPF8u/74

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000234a4-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a5-12.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a6-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a7-24.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a8-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a9-39.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234aa-42.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000234a2-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ac-54.dat	cobalt_reflective_dll
behavioral2/files/0x0006000000022b21-60.dat	cobalt_reflective_dll
behavioral2/files/0x000a00000002341a-74.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ad-85.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234ae-93.dat	cobalt_reflective_dll
behavioral2/files/0x000d00000002341b-80.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023419-66.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234af-99.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b1-112.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b3-126.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b4-131.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b2-119.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234b0-107.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x00080000000234a4-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234a5-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234a6-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234a7-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234a8-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234a9-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234aa-42.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00080000000234a2-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234ac-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0006000000022b21-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000a00000002341a-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234ad-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234ae-93.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000d00000002341b-80.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000a000000023419-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234af-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234b1-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234b3-126.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234b4-131.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234b2-119.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234b0-107.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1580-0-0x00007FF620380000-0x00007FF6206D4000-memory.dmp	UPX
behavioral2/files/0x00080000000234a4-5.dat	UPX
behavioral2/memory/4584-8-0x00007FF756E40000-0x00007FF757194000-memory.dmp	UPX
behavioral2/files/0x00070000000234a5-12.dat	UPX
behavioral2/files/0x00070000000234a6-10.dat	UPX
behavioral2/memory/3232-14-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp	UPX
behavioral2/memory/2816-20-0x00007FF6129A0000-0x00007FF612CF4000-memory.dmp	UPX
behavioral2/files/0x00070000000234a7-24.dat	UPX
behavioral2/files/0x00070000000234a8-29.dat	UPX
behavioral2/memory/4544-31-0x00007FF7B0AF0000-0x00007FF7B0E44000-memory.dmp	UPX
behavioral2/files/0x00070000000234a9-39.dat	UPX
behavioral2/files/0x00070000000234aa-42.dat	UPX
behavioral2/memory/1888-36-0x00007FF796910000-0x00007FF796C64000-memory.dmp	UPX
behavioral2/memory/1596-33-0x00007FF72D860000-0x00007FF72DBB4000-memory.dmp	UPX
behavioral2/memory/1584-44-0x00007FF63E600000-0x00007FF63E954000-memory.dmp	UPX
behavioral2/files/0x00080000000234a2-47.dat	UPX
behavioral2/memory/1240-50-0x00007FF734840000-0x00007FF734B94000-memory.dmp	UPX
behavioral2/memory/4380-56-0x00007FF6D40A0000-0x00007FF6D43F4000-memory.dmp	UPX
behavioral2/files/0x00070000000234ac-54.dat	UPX
behavioral2/files/0x0006000000022b21-60.dat	UPX
behavioral2/files/0x000a00000002341a-74.dat	UPX
behavioral2/files/0x00070000000234ad-85.dat	UPX
behavioral2/memory/4104-87-0x00007FF65ACB0000-0x00007FF65B004000-memory.dmp	UPX
behavioral2/files/0x00070000000234ae-93.dat	UPX
behavioral2/memory/4048-91-0x00007FF7839D0000-0x00007FF783D24000-memory.dmp	UPX
behavioral2/memory/2816-86-0x00007FF6129A0000-0x00007FF612CF4000-memory.dmp	UPX
behavioral2/memory/628-82-0x00007FF6D8160000-0x00007FF6D84B4000-memory.dmp	UPX
behavioral2/files/0x000d00000002341b-80.dat	UPX
behavioral2/memory/3232-76-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp	UPX
behavioral2/memory/740-70-0x00007FF6AC4E0000-0x00007FF6AC834000-memory.dmp	UPX
behavioral2/memory/4584-69-0x00007FF756E40000-0x00007FF757194000-memory.dmp	UPX
behavioral2/memory/4540-68-0x00007FF798CF0000-0x00007FF799044000-memory.dmp	UPX
behavioral2/files/0x000a000000023419-66.dat	UPX
behavioral2/memory/1580-62-0x00007FF620380000-0x00007FF6206D4000-memory.dmp	UPX
behavioral2/memory/1604-96-0x00007FF7E3B20000-0x00007FF7E3E74000-memory.dmp	UPX
behavioral2/files/0x00070000000234af-99.dat	UPX
behavioral2/memory/1888-102-0x00007FF796910000-0x00007FF796C64000-memory.dmp	UPX
behavioral2/files/0x00070000000234b1-112.dat	UPX
behavioral2/memory/4380-120-0x00007FF6D40A0000-0x00007FF6D43F4000-memory.dmp	UPX
behavioral2/files/0x00070000000234b3-126.dat	UPX
behavioral2/files/0x00070000000234b4-131.dat	UPX
behavioral2/memory/632-129-0x00007FF7CA320000-0x00007FF7CA674000-memory.dmp	UPX
behavioral2/memory/1156-123-0x00007FF78A9E0000-0x00007FF78AD34000-memory.dmp	UPX
behavioral2/files/0x00070000000234b2-119.dat	UPX
behavioral2/memory/1412-118-0x00007FF7AD040000-0x00007FF7AD394000-memory.dmp	UPX
behavioral2/memory/4916-111-0x00007FF6E8DF0000-0x00007FF6E9144000-memory.dmp	UPX
behavioral2/files/0x00070000000234b0-107.dat	UPX
behavioral2/memory/1304-105-0x00007FF7498A0000-0x00007FF749BF4000-memory.dmp	UPX
behavioral2/memory/1768-133-0x00007FF7ADBC0000-0x00007FF7ADF14000-memory.dmp	UPX
behavioral2/memory/4048-134-0x00007FF7839D0000-0x00007FF783D24000-memory.dmp	UPX
behavioral2/memory/4584-135-0x00007FF756E40000-0x00007FF757194000-memory.dmp	UPX
behavioral2/memory/3232-136-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp	UPX
behavioral2/memory/2816-137-0x00007FF6129A0000-0x00007FF612CF4000-memory.dmp	UPX
behavioral2/memory/4544-138-0x00007FF7B0AF0000-0x00007FF7B0E44000-memory.dmp	UPX
behavioral2/memory/1596-139-0x00007FF72D860000-0x00007FF72DBB4000-memory.dmp	UPX
behavioral2/memory/1584-141-0x00007FF63E600000-0x00007FF63E954000-memory.dmp	UPX
behavioral2/memory/1888-140-0x00007FF796910000-0x00007FF796C64000-memory.dmp	UPX
behavioral2/memory/1240-142-0x00007FF734840000-0x00007FF734B94000-memory.dmp	UPX
behavioral2/memory/4380-143-0x00007FF6D40A0000-0x00007FF6D43F4000-memory.dmp	UPX
behavioral2/memory/4540-144-0x00007FF798CF0000-0x00007FF799044000-memory.dmp	UPX
behavioral2/memory/740-145-0x00007FF6AC4E0000-0x00007FF6AC834000-memory.dmp	UPX
behavioral2/memory/628-146-0x00007FF6D8160000-0x00007FF6D84B4000-memory.dmp	UPX
behavioral2/memory/4104-147-0x00007FF65ACB0000-0x00007FF65B004000-memory.dmp	UPX
behavioral2/memory/1604-148-0x00007FF7E3B20000-0x00007FF7E3E74000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1580-0-0x00007FF620380000-0x00007FF6206D4000-memory.dmp	xmrig
behavioral2/files/0x00080000000234a4-5.dat	xmrig
behavioral2/memory/4584-8-0x00007FF756E40000-0x00007FF757194000-memory.dmp	xmrig
behavioral2/files/0x00070000000234a5-12.dat	xmrig
behavioral2/files/0x00070000000234a6-10.dat	xmrig
behavioral2/memory/3232-14-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp	xmrig
behavioral2/memory/2816-20-0x00007FF6129A0000-0x00007FF612CF4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234a7-24.dat	xmrig
behavioral2/files/0x00070000000234a8-29.dat	xmrig
behavioral2/memory/4544-31-0x00007FF7B0AF0000-0x00007FF7B0E44000-memory.dmp	xmrig
behavioral2/files/0x00070000000234a9-39.dat	xmrig
behavioral2/files/0x00070000000234aa-42.dat	xmrig
behavioral2/memory/1888-36-0x00007FF796910000-0x00007FF796C64000-memory.dmp	xmrig
behavioral2/memory/1596-33-0x00007FF72D860000-0x00007FF72DBB4000-memory.dmp	xmrig
behavioral2/memory/1584-44-0x00007FF63E600000-0x00007FF63E954000-memory.dmp	xmrig
behavioral2/files/0x00080000000234a2-47.dat	xmrig
behavioral2/memory/1240-50-0x00007FF734840000-0x00007FF734B94000-memory.dmp	xmrig
behavioral2/memory/4380-56-0x00007FF6D40A0000-0x00007FF6D43F4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ac-54.dat	xmrig
behavioral2/files/0x0006000000022b21-60.dat	xmrig
behavioral2/files/0x000a00000002341a-74.dat	xmrig
behavioral2/files/0x00070000000234ad-85.dat	xmrig
behavioral2/memory/4104-87-0x00007FF65ACB0000-0x00007FF65B004000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ae-93.dat	xmrig
behavioral2/memory/4048-91-0x00007FF7839D0000-0x00007FF783D24000-memory.dmp	xmrig
behavioral2/memory/2816-86-0x00007FF6129A0000-0x00007FF612CF4000-memory.dmp	xmrig
behavioral2/memory/628-82-0x00007FF6D8160000-0x00007FF6D84B4000-memory.dmp	xmrig
behavioral2/files/0x000d00000002341b-80.dat	xmrig
behavioral2/memory/3232-76-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp	xmrig
behavioral2/memory/740-70-0x00007FF6AC4E0000-0x00007FF6AC834000-memory.dmp	xmrig
behavioral2/memory/4584-69-0x00007FF756E40000-0x00007FF757194000-memory.dmp	xmrig
behavioral2/memory/4540-68-0x00007FF798CF0000-0x00007FF799044000-memory.dmp	xmrig
behavioral2/files/0x000a000000023419-66.dat	xmrig
behavioral2/memory/1580-62-0x00007FF620380000-0x00007FF6206D4000-memory.dmp	xmrig
behavioral2/memory/1604-96-0x00007FF7E3B20000-0x00007FF7E3E74000-memory.dmp	xmrig
behavioral2/files/0x00070000000234af-99.dat	xmrig
behavioral2/memory/1888-102-0x00007FF796910000-0x00007FF796C64000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b1-112.dat	xmrig
behavioral2/memory/4380-120-0x00007FF6D40A0000-0x00007FF6D43F4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b3-126.dat	xmrig
behavioral2/files/0x00070000000234b4-131.dat	xmrig
behavioral2/memory/632-129-0x00007FF7CA320000-0x00007FF7CA674000-memory.dmp	xmrig
behavioral2/memory/1156-123-0x00007FF78A9E0000-0x00007FF78AD34000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b2-119.dat	xmrig
behavioral2/memory/1412-118-0x00007FF7AD040000-0x00007FF7AD394000-memory.dmp	xmrig
behavioral2/memory/4916-111-0x00007FF6E8DF0000-0x00007FF6E9144000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b0-107.dat	xmrig
behavioral2/memory/1304-105-0x00007FF7498A0000-0x00007FF749BF4000-memory.dmp	xmrig
behavioral2/memory/1768-133-0x00007FF7ADBC0000-0x00007FF7ADF14000-memory.dmp	xmrig
behavioral2/memory/4048-134-0x00007FF7839D0000-0x00007FF783D24000-memory.dmp	xmrig
behavioral2/memory/4584-135-0x00007FF756E40000-0x00007FF757194000-memory.dmp	xmrig
behavioral2/memory/3232-136-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp	xmrig
behavioral2/memory/2816-137-0x00007FF6129A0000-0x00007FF612CF4000-memory.dmp	xmrig
behavioral2/memory/4544-138-0x00007FF7B0AF0000-0x00007FF7B0E44000-memory.dmp	xmrig
behavioral2/memory/1596-139-0x00007FF72D860000-0x00007FF72DBB4000-memory.dmp	xmrig
behavioral2/memory/1584-141-0x00007FF63E600000-0x00007FF63E954000-memory.dmp	xmrig
behavioral2/memory/1888-140-0x00007FF796910000-0x00007FF796C64000-memory.dmp	xmrig
behavioral2/memory/1240-142-0x00007FF734840000-0x00007FF734B94000-memory.dmp	xmrig
behavioral2/memory/4380-143-0x00007FF6D40A0000-0x00007FF6D43F4000-memory.dmp	xmrig
behavioral2/memory/4540-144-0x00007FF798CF0000-0x00007FF799044000-memory.dmp	xmrig
behavioral2/memory/740-145-0x00007FF6AC4E0000-0x00007FF6AC834000-memory.dmp	xmrig
behavioral2/memory/628-146-0x00007FF6D8160000-0x00007FF6D84B4000-memory.dmp	xmrig
behavioral2/memory/4104-147-0x00007FF65ACB0000-0x00007FF65B004000-memory.dmp	xmrig
behavioral2/memory/1604-148-0x00007FF7E3B20000-0x00007FF7E3E74000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4584	XHJOlfn.exe
3232	eXSCKrd.exe
2816	JWFSMbo.exe
4544	nyarDeN.exe
1596	IMpefOP.exe
1888	ElwqTWa.exe
1584	sSJarlD.exe
1240	LzTZtut.exe
4380	HvxSvWB.exe
4540	kGBWcUo.exe
740	yUjUNdB.exe
628	MeJBwOc.exe
4104	QjgRxSH.exe
4048	nNwkHjr.exe
1604	NkSncsq.exe
1304	lnEUJWl.exe
4916	bUXnZFn.exe
1412	CrUrKeS.exe
1156	IuCXUvU.exe
632	vskDasE.exe
1768	qhyEZMd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1580-0-0x00007FF620380000-0x00007FF6206D4000-memory.dmp	upx
behavioral2/files/0x00080000000234a4-5.dat	upx
behavioral2/memory/4584-8-0x00007FF756E40000-0x00007FF757194000-memory.dmp	upx
behavioral2/files/0x00070000000234a5-12.dat	upx
behavioral2/files/0x00070000000234a6-10.dat	upx
behavioral2/memory/3232-14-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp	upx
behavioral2/memory/2816-20-0x00007FF6129A0000-0x00007FF612CF4000-memory.dmp	upx
behavioral2/files/0x00070000000234a7-24.dat	upx
behavioral2/files/0x00070000000234a8-29.dat	upx
behavioral2/memory/4544-31-0x00007FF7B0AF0000-0x00007FF7B0E44000-memory.dmp	upx
behavioral2/files/0x00070000000234a9-39.dat	upx
behavioral2/files/0x00070000000234aa-42.dat	upx
behavioral2/memory/1888-36-0x00007FF796910000-0x00007FF796C64000-memory.dmp	upx
behavioral2/memory/1596-33-0x00007FF72D860000-0x00007FF72DBB4000-memory.dmp	upx
behavioral2/memory/1584-44-0x00007FF63E600000-0x00007FF63E954000-memory.dmp	upx
behavioral2/files/0x00080000000234a2-47.dat	upx
behavioral2/memory/1240-50-0x00007FF734840000-0x00007FF734B94000-memory.dmp	upx
behavioral2/memory/4380-56-0x00007FF6D40A0000-0x00007FF6D43F4000-memory.dmp	upx
behavioral2/files/0x00070000000234ac-54.dat	upx
behavioral2/files/0x0006000000022b21-60.dat	upx
behavioral2/files/0x000a00000002341a-74.dat	upx
behavioral2/files/0x00070000000234ad-85.dat	upx
behavioral2/memory/4104-87-0x00007FF65ACB0000-0x00007FF65B004000-memory.dmp	upx
behavioral2/files/0x00070000000234ae-93.dat	upx
behavioral2/memory/4048-91-0x00007FF7839D0000-0x00007FF783D24000-memory.dmp	upx
behavioral2/memory/2816-86-0x00007FF6129A0000-0x00007FF612CF4000-memory.dmp	upx
behavioral2/memory/628-82-0x00007FF6D8160000-0x00007FF6D84B4000-memory.dmp	upx
behavioral2/files/0x000d00000002341b-80.dat	upx
behavioral2/memory/3232-76-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp	upx
behavioral2/memory/740-70-0x00007FF6AC4E0000-0x00007FF6AC834000-memory.dmp	upx
behavioral2/memory/4584-69-0x00007FF756E40000-0x00007FF757194000-memory.dmp	upx
behavioral2/memory/4540-68-0x00007FF798CF0000-0x00007FF799044000-memory.dmp	upx
behavioral2/files/0x000a000000023419-66.dat	upx
behavioral2/memory/1580-62-0x00007FF620380000-0x00007FF6206D4000-memory.dmp	upx
behavioral2/memory/1604-96-0x00007FF7E3B20000-0x00007FF7E3E74000-memory.dmp	upx
behavioral2/files/0x00070000000234af-99.dat	upx
behavioral2/memory/1888-102-0x00007FF796910000-0x00007FF796C64000-memory.dmp	upx
behavioral2/files/0x00070000000234b1-112.dat	upx
behavioral2/memory/4380-120-0x00007FF6D40A0000-0x00007FF6D43F4000-memory.dmp	upx
behavioral2/files/0x00070000000234b3-126.dat	upx
behavioral2/files/0x00070000000234b4-131.dat	upx
behavioral2/memory/632-129-0x00007FF7CA320000-0x00007FF7CA674000-memory.dmp	upx
behavioral2/memory/1156-123-0x00007FF78A9E0000-0x00007FF78AD34000-memory.dmp	upx
behavioral2/files/0x00070000000234b2-119.dat	upx
behavioral2/memory/1412-118-0x00007FF7AD040000-0x00007FF7AD394000-memory.dmp	upx
behavioral2/memory/4916-111-0x00007FF6E8DF0000-0x00007FF6E9144000-memory.dmp	upx
behavioral2/files/0x00070000000234b0-107.dat	upx
behavioral2/memory/1304-105-0x00007FF7498A0000-0x00007FF749BF4000-memory.dmp	upx
behavioral2/memory/1768-133-0x00007FF7ADBC0000-0x00007FF7ADF14000-memory.dmp	upx
behavioral2/memory/4048-134-0x00007FF7839D0000-0x00007FF783D24000-memory.dmp	upx
behavioral2/memory/4584-135-0x00007FF756E40000-0x00007FF757194000-memory.dmp	upx
behavioral2/memory/3232-136-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp	upx
behavioral2/memory/2816-137-0x00007FF6129A0000-0x00007FF612CF4000-memory.dmp	upx
behavioral2/memory/4544-138-0x00007FF7B0AF0000-0x00007FF7B0E44000-memory.dmp	upx
behavioral2/memory/1596-139-0x00007FF72D860000-0x00007FF72DBB4000-memory.dmp	upx
behavioral2/memory/1584-141-0x00007FF63E600000-0x00007FF63E954000-memory.dmp	upx
behavioral2/memory/1888-140-0x00007FF796910000-0x00007FF796C64000-memory.dmp	upx
behavioral2/memory/1240-142-0x00007FF734840000-0x00007FF734B94000-memory.dmp	upx
behavioral2/memory/4380-143-0x00007FF6D40A0000-0x00007FF6D43F4000-memory.dmp	upx
behavioral2/memory/4540-144-0x00007FF798CF0000-0x00007FF799044000-memory.dmp	upx
behavioral2/memory/740-145-0x00007FF6AC4E0000-0x00007FF6AC834000-memory.dmp	upx
behavioral2/memory/628-146-0x00007FF6D8160000-0x00007FF6D84B4000-memory.dmp	upx
behavioral2/memory/4104-147-0x00007FF65ACB0000-0x00007FF65B004000-memory.dmp	upx
behavioral2/memory/1604-148-0x00007FF7E3B20000-0x00007FF7E3E74000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\MeJBwOc.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CrUrKeS.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IuCXUvU.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eXSCKrd.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nyarDeN.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LzTZtut.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HvxSvWB.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kGBWcUo.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ElwqTWa.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yUjUNdB.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NkSncsq.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JWFSMbo.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qhyEZMd.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lnEUJWl.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bUXnZFn.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vskDasE.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XHJOlfn.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IMpefOP.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sSJarlD.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QjgRxSH.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nNwkHjr.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 4584	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	83
PID 1580 wrote to memory of 4584	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	83
PID 1580 wrote to memory of 3232	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	85
PID 1580 wrote to memory of 3232	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	85
PID 1580 wrote to memory of 2816	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	87
PID 1580 wrote to memory of 2816	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	87
PID 1580 wrote to memory of 4544	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	89
PID 1580 wrote to memory of 4544	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	89
PID 1580 wrote to memory of 1596	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	90
PID 1580 wrote to memory of 1596	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	90
PID 1580 wrote to memory of 1888	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	91
PID 1580 wrote to memory of 1888	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	91
PID 1580 wrote to memory of 1584	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	92
PID 1580 wrote to memory of 1584	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	92
PID 1580 wrote to memory of 1240	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	93
PID 1580 wrote to memory of 1240	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	93
PID 1580 wrote to memory of 4380	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	94
PID 1580 wrote to memory of 4380	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	94
PID 1580 wrote to memory of 4540	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	95
PID 1580 wrote to memory of 4540	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	95
PID 1580 wrote to memory of 740	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	96
PID 1580 wrote to memory of 740	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	96
PID 1580 wrote to memory of 628	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	97
PID 1580 wrote to memory of 628	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	97
PID 1580 wrote to memory of 4104	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	98
PID 1580 wrote to memory of 4104	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	98
PID 1580 wrote to memory of 4048	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	99
PID 1580 wrote to memory of 4048	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	99
PID 1580 wrote to memory of 1604	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	100
PID 1580 wrote to memory of 1604	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	100
PID 1580 wrote to memory of 1304	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	101
PID 1580 wrote to memory of 1304	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	101
PID 1580 wrote to memory of 4916	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	102
PID 1580 wrote to memory of 4916	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	102
PID 1580 wrote to memory of 1412	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	103
PID 1580 wrote to memory of 1412	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	103
PID 1580 wrote to memory of 1156	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	104
PID 1580 wrote to memory of 1156	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	104
PID 1580 wrote to memory of 632	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	105
PID 1580 wrote to memory of 632	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	105
PID 1580 wrote to memory of 1768	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	106
PID 1580 wrote to memory of 1768	1580	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\System\XHJOlfn.exe
  C:\Windows\System\XHJOlfn.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\eXSCKrd.exe
  C:\Windows\System\eXSCKrd.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\JWFSMbo.exe
  C:\Windows\System\JWFSMbo.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\nyarDeN.exe
  C:\Windows\System\nyarDeN.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\IMpefOP.exe
  C:\Windows\System\IMpefOP.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System\ElwqTWa.exe
  C:\Windows\System\ElwqTWa.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\sSJarlD.exe
  C:\Windows\System\sSJarlD.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\LzTZtut.exe
  C:\Windows\System\LzTZtut.exe
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\System\HvxSvWB.exe
  C:\Windows\System\HvxSvWB.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\kGBWcUo.exe
  C:\Windows\System\kGBWcUo.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\yUjUNdB.exe
  C:\Windows\System\yUjUNdB.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System\MeJBwOc.exe
  C:\Windows\System\MeJBwOc.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\QjgRxSH.exe
  C:\Windows\System\QjgRxSH.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System\nNwkHjr.exe
  C:\Windows\System\nNwkHjr.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System\NkSncsq.exe
  C:\Windows\System\NkSncsq.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System\lnEUJWl.exe
  C:\Windows\System\lnEUJWl.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\System\bUXnZFn.exe
  C:\Windows\System\bUXnZFn.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System\CrUrKeS.exe
  C:\Windows\System\CrUrKeS.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\IuCXUvU.exe
  C:\Windows\System\IuCXUvU.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\vskDasE.exe
  C:\Windows\System\vskDasE.exe
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\System\qhyEZMd.exe
  C:\Windows\System\qhyEZMd.exe
  2⤵
  - Executes dropped EXE
  PID:1768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CrUrKeS.exe

Filesize
5.9MB

MD5
a926af884d76ee30388e0b21436b9054

SHA1
11a0e75337a0f5b80b1b96500a007547deccdd90

SHA256
51df6955031347360e1af1d7bb1a634257feb945d27ec418ce9775c9ece9c28f

SHA512
f8c1d31a1a33188fcfef9884fe991a8fa298d6c19881b06c43d171486332e2395b74aeb7f99b8dff39b6ebb7b02df23f9d2a4a348f44a29781e150c1ea06f2c9

Download Submit
C:\Windows\System\ElwqTWa.exe

Filesize
5.9MB

MD5
d7f59f8459a1110bd3ce9dae01534c93

SHA1
6354d865e74dc765b2e917b856ec978dc8344086

SHA256
c5c811d48d5e2acf5b46b4ff177afd50f245c1dfc9cbdaa6be728302b3fee6f0

SHA512
6c3a8eb60351a4fc5511739f6aa53914ba407e03bf06c3d1501c9af9abedcb9aeae67ecebe8c0ca681719d04a058c0aaae316ed5374b6301200c41a860f6fc7a

Download Submit
C:\Windows\System\HvxSvWB.exe

Filesize
5.9MB

MD5
c5761ca2e003442574a1263a0522e3c9

SHA1
de2d4b11b3e56696e090832a3b5b84997e97c54f

SHA256
866435fffba8aafdb5cd207c19ba50e40291399bbc022d15a3b64f74fd47c74d

SHA512
a4d362fba3fa16a7bfb805ff7fbcdd6d62e2505341cd23ec5eb1e1289afa64a691e8e1dfa8ace45a2c99ec5c334ceda2e00f2d836650ed0afc5d4957fa67fa14

Download Submit
C:\Windows\System\IMpefOP.exe

Filesize
5.9MB

MD5
3d6f00f55a656de0548d7b068adc5a30

SHA1
ec132557f942283bbb86f5a9d8ca022c1f231ee6

SHA256
8b6585a017dfcca920cc40d2b1ac2daa4708c9390cc74f3a798d54460800cf66

SHA512
3d64cbd0a638b8ddb42db7c23041b15749edd2447b83749002fca9635c695b8729877b04a8e31cdf1256b395f2f02481cfc236a985a866490f853fd8ec080e0c

Download Submit
C:\Windows\System\IuCXUvU.exe

Filesize
5.9MB

MD5
f2279c62c1f8b3959b5840e0ec6d777d

SHA1
4919b11dab3f80c8646f619be3d6003d01199b44

SHA256
7ee538c7b65b38372f8db6ae426ff03712d4d508f17b95bfd370e969c9e30372

SHA512
ff4ae6d9034b8c354d9612c9477efe040c14c75afb9e6898306da31056218388020e7d42fe518dac09ab118e92008a9361b14cd1205242633bcf07700c87bb93

Download Submit
C:\Windows\System\JWFSMbo.exe

Filesize
5.9MB

MD5
6f8681199a3c86b36c2350ac03f7543a

SHA1
474449c50593b928d90b7fbe0a2e349cf6a6c816

SHA256
041239f50fb8b40bf8264a57f5b9b4071b92f46dc90c9541e011365f398d28eb

SHA512
9ff81b98ca9f059a56b039066b1ec56942a15d306578b73f79dd9b3ef0e5ebc6da5169b7f4d6fb9910679be62158ffb0ac70a609399ddfade0eabb2e1d88b399

Download Submit
C:\Windows\System\LzTZtut.exe

Filesize
5.9MB

MD5
19a63100661f4386f0bf567a8b8209f5

SHA1
e4f1d8f6eb83a397e84651bd0ab590569bb0f433

SHA256
c664c55fc44ec1bc2988ed1b76f86c7cab8303ec46ae1ef30e8994de8dfdded4

SHA512
11087fbec9a4bb891bf04189c594e9665f1866736df62069013df13d32c0abb43f97c4dc7967e140591329186780626d6ef11dd3e0d3d433f979c1223178be47

Download Submit
C:\Windows\System\MeJBwOc.exe

Filesize
5.9MB

MD5
1b3d1030f9e119aff21d5e0da0666f97

SHA1
df5c3df72a23f4995e7adf8c828439c37dca8419

SHA256
5a94e96e93b9ee2d680fb42bf2c6f05fc6bfc7a6fa00ae505c22ce3342114305

SHA512
0ee0e9ebb4fabed36e0c430807c01d284a19a3531d6a595152c24e8a8e50536716d1ccf7c89f4c7f01f3ea6c548eae8ac2f5fe5a62328e9a54767364214243dc

Download Submit
C:\Windows\System\NkSncsq.exe

Filesize
5.9MB

MD5
fa9e975bd030a7710a676e5b9c944e4c

SHA1
270284961c84f9a5d061dbe3d156abf15e7584a3

SHA256
65ecf95e49b42f687b6c9150c89903f6cb91a11cb223e80feb21d1f81922e741

SHA512
bc549e80667f8c26885a250a98e2228df424546285fdd07d1cc34e49be2a5cba5ac0194ff270b144e9ada67e412419ba52010dcc3bd56b0bc22c39293c2fd78a

Download Submit
C:\Windows\System\QjgRxSH.exe

Filesize
5.9MB

MD5
a93ef1173da380cb12a54d5cbb93368d

SHA1
b10e95d4f0a39a4a9874a467b00d9ea54b38bac2

SHA256
46aef85ce27248b0eb10a504dddb48422a667304fbffa6d12c59d58ec28a5750

SHA512
8abd82fc1abc4f01c547d040356f0142b24e9e6d9022c81ad58f581eb44ecc5db00937432cd310de5ffeac5c062bec9d5dccea6b20cb11221bd9c27aeed317b7

Download Submit
C:\Windows\System\XHJOlfn.exe

Filesize
5.9MB

MD5
7f750f3c01f2a414d4f3dcf03b74cf28

SHA1
91b6a71ed43d2dc9efdace1d044d78d8b6ec82ac

SHA256
09d031be8395c0379154b3301504efb74a81e36bc9f5f1b177def8ae57199e30

SHA512
3a9f386e37f54e665141761736fcbacf572a6d65eaa00eb481d381e728b5ed6694afd2da68c3e2a4af5885b6975f10335988f0b7fa86e2603c4001db54f0e352

Download Submit
C:\Windows\System\bUXnZFn.exe

Filesize
5.9MB

MD5
519c4e9f9db87f17f1146ff591307ffd

SHA1
45c2ee10a8c5ff8407d8dcc3ecf011fb02cc1eec

SHA256
7d21bf030c72fb2c60be6830f7e47d15626a30898bab8132015a6692b0885c9a

SHA512
1d6c95e2cbdd355afa8fb33e5bc795d51d503cb48d7e04f77dbf7f86ab072dad7fc6abadffbc7fe728301d65cb698800d7d9ae2c7e589cca641de5892dc7d427

Download Submit
C:\Windows\System\eXSCKrd.exe

Filesize
5.9MB

MD5
456faefa9ccc7098a31a712c2ef3fa61

SHA1
925eeef2e220d1534a9caef30f91bbc840a71e39

SHA256
c0d2d83d883efec37ba39e928b9acc2a0f461bb738c46d18eda0cdfc1299dc38

SHA512
c80cde4a0239f6fc2387dddbb41736925b8f17dbf4c4bd1a963bc678705b29b1f0101e0d9e7e848053e097e8f692573c7bfc2d4bf187337b15bc5f1d241a7321

Download Submit
C:\Windows\System\kGBWcUo.exe

Filesize
5.9MB

MD5
fd254ee8cbd4e8fc2efd5c66393bee82

SHA1
3d1e7cc1d3b6c0aec36e7440dee210a3f0043622

SHA256
4ae8f33b371520ded3bd07265cbd3409e7585754bfb9ed6b22d681bfcc6c77eb

SHA512
e9f8183c53cf273c9b842a3562c3bdb4ce4ab9b69708e89f0908f0836463153e461b73166f3ae42ee0b67e02d79448cdd33620d083e7916a21abf2eb5d67bc3b

Download Submit
C:\Windows\System\lnEUJWl.exe

Filesize
5.9MB

MD5
eac4dc3060c5a212362994693809a4bb

SHA1
8fd879c91003b29ca2b609f1052625cdd40a538e

SHA256
fd12ac9b0a05f5cf20637bfb12ef11bd1be2f10ef19b6852f1ceaa6f1a022b3e

SHA512
6366b087341205d2591119f0f828ce15470f07bd2349c5d9fe8abd1193d0964c10b3bf947b5f0b13e6468dd8358d4ddef03808149d6599628995a583b4ef9d9b

Download Submit
C:\Windows\System\nNwkHjr.exe

Filesize
5.9MB

MD5
fe5582e540d8bddd459e63d9500f0b2a

SHA1
5acc94e1d940e091fef36995624623337eaf7db1

SHA256
267ecde29e68ed2c94105b48695d953bdbdb09b99290d0e16d78ce72db3ab28a

SHA512
54cabaa23b8ae05824c14213ec1bff60c52db9fb051cb545c6b066b091af601eacb9f430e756a6bbef2f7c355135245ff9b155ce348844dc10fc83ef9f5790c9

Download Submit
C:\Windows\System\nyarDeN.exe

Filesize
5.9MB

MD5
576138f72a68c2297c139dd87d878c26

SHA1
44189ed324bd6ebe539172e231c971dbf1130147

SHA256
4a60067a6c5dc0039243aa681ce33e99eb578e7e1c9b4f4c019c60a3db3b28a6

SHA512
15ba899bcc48e957dd29dcc9500e6d16665fab995c1897fce56ada954b4c7a8724c5d4f85b51c78abf8fe8c2977c7bebb1dbcd26052e88edac1940b5d89a9463

Download Submit
C:\Windows\System\qhyEZMd.exe

Filesize
5.9MB

MD5
a77540f6dd25e1ae7be5c1f1da673a4d

SHA1
f5886820bce595036eb6345c79fc1bc81b61b34a

SHA256
eeabdb46b863f7aac29cb87f4cf1ab5146d6986a1674e36994e33d5c1eb25168

SHA512
3ced081565396579d32c9da5125d51879eb14865dffb421c3f40f008e2bc026866ca7f7d824f64006eb17a050892a07a153107b2d5cab1327be9649e85b875a2

Download Submit
C:\Windows\System\sSJarlD.exe

Filesize
5.9MB

MD5
217ba379c27ab4a0c6cd6f00778f52a0

SHA1
14e0d0a0f9fd708d7b00137ab5c0ae53067134a8

SHA256
c93c3fb7c6a9f9bb19ed927c4de2889a48c6ca5b7c4c7185e1bb05f0f46e3aab

SHA512
92c0cba3104111f5103dfde44ac0f693fdaa84f5ef2fda5367b71dd274019a53f7eb0d2db9034130eb72869345f91ca4a71beeda20f97f50683817fdfa81aa07

Download Submit
C:\Windows\System\vskDasE.exe

Filesize
5.9MB

MD5
ac65ee9fb81c6a62e094e326a6c714a6

SHA1
1937a08ab0064c367937e8e19371a0bb0d6a74e7

SHA256
d4377af1130541f27887a00175c963d8d133305ff173cb8a39960d2535e029a4

SHA512
a150d5a5698e0ddcae04e32aa45ec8c7192522cacd457884f498dc10d6ad68f47b050857883d59ecb04bf47bbb03a20b4b3c9f7c05c7f7a3db263a60fc936c48

Download Submit
C:\Windows\System\yUjUNdB.exe

Filesize
5.9MB

MD5
6b20df735160da7f4e5896555c34529a

SHA1
43371db5b54f348f2eacfb0b5f66c0db98bbb2a8

SHA256
2a3ae4e52d304e5bf0b359f55ee923b2a8353dfdcb323acd0512e252ba92dc7d

SHA512
e08f55d07216f6708ff1b5f8fffd464fe8ab93ac07b54449e9ae323852563080398e6f9d2103b922e2da1fc1701d4004849131c50e9ce52ca2d3f5bbeb2185c6

Download Submit
memory/628-146-0x00007FF6D8160000-0x00007FF6D84B4000-memory.dmp

Filesize
3.3MB

Download
memory/628-82-0x00007FF6D8160000-0x00007FF6D84B4000-memory.dmp

Filesize
3.3MB

Download
memory/632-129-0x00007FF7CA320000-0x00007FF7CA674000-memory.dmp

Filesize
3.3MB

Download
memory/632-154-0x00007FF7CA320000-0x00007FF7CA674000-memory.dmp

Filesize
3.3MB

Download
memory/740-70-0x00007FF6AC4E0000-0x00007FF6AC834000-memory.dmp

Filesize
3.3MB

Download
memory/740-145-0x00007FF6AC4E0000-0x00007FF6AC834000-memory.dmp

Filesize
3.3MB

Download
memory/1156-153-0x00007FF78A9E0000-0x00007FF78AD34000-memory.dmp

Filesize
3.3MB

Download
memory/1156-123-0x00007FF78A9E0000-0x00007FF78AD34000-memory.dmp

Filesize
3.3MB

Download
memory/1240-142-0x00007FF734840000-0x00007FF734B94000-memory.dmp

Filesize
3.3MB

Download
memory/1240-50-0x00007FF734840000-0x00007FF734B94000-memory.dmp

Filesize
3.3MB

Download
memory/1304-150-0x00007FF7498A0000-0x00007FF749BF4000-memory.dmp

Filesize
3.3MB

Download
memory/1304-105-0x00007FF7498A0000-0x00007FF749BF4000-memory.dmp

Filesize
3.3MB

Download
memory/1412-152-0x00007FF7AD040000-0x00007FF7AD394000-memory.dmp

Filesize
3.3MB

Download
memory/1412-118-0x00007FF7AD040000-0x00007FF7AD394000-memory.dmp

Filesize
3.3MB

Download
memory/1580-62-0x00007FF620380000-0x00007FF6206D4000-memory.dmp

Filesize
3.3MB

Download
memory/1580-0-0x00007FF620380000-0x00007FF6206D4000-memory.dmp

Filesize
3.3MB

Download
memory/1580-1-0x00000249AED90000-0x00000249AEDA0000-memory.dmp

Filesize
64KB

Download
memory/1584-44-0x00007FF63E600000-0x00007FF63E954000-memory.dmp

Filesize
3.3MB

Download
memory/1584-141-0x00007FF63E600000-0x00007FF63E954000-memory.dmp

Filesize
3.3MB

Download
memory/1596-33-0x00007FF72D860000-0x00007FF72DBB4000-memory.dmp

Filesize
3.3MB

Download
memory/1596-139-0x00007FF72D860000-0x00007FF72DBB4000-memory.dmp

Filesize
3.3MB

Download
memory/1604-96-0x00007FF7E3B20000-0x00007FF7E3E74000-memory.dmp

Filesize
3.3MB

Download
memory/1604-148-0x00007FF7E3B20000-0x00007FF7E3E74000-memory.dmp

Filesize
3.3MB

Download
memory/1768-133-0x00007FF7ADBC0000-0x00007FF7ADF14000-memory.dmp

Filesize
3.3MB

Download
memory/1768-155-0x00007FF7ADBC0000-0x00007FF7ADF14000-memory.dmp

Filesize
3.3MB

Download
memory/1888-140-0x00007FF796910000-0x00007FF796C64000-memory.dmp

Filesize
3.3MB

Download
memory/1888-102-0x00007FF796910000-0x00007FF796C64000-memory.dmp

Filesize
3.3MB

Download
memory/1888-36-0x00007FF796910000-0x00007FF796C64000-memory.dmp

Filesize
3.3MB

Download
memory/2816-86-0x00007FF6129A0000-0x00007FF612CF4000-memory.dmp

Filesize
3.3MB

Download
memory/2816-20-0x00007FF6129A0000-0x00007FF612CF4000-memory.dmp

Filesize
3.3MB

Download
memory/2816-137-0x00007FF6129A0000-0x00007FF612CF4000-memory.dmp

Filesize
3.3MB

Download
memory/3232-76-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp

Filesize
3.3MB

Download
memory/3232-14-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp

Filesize
3.3MB

Download
memory/3232-136-0x00007FF6F4110000-0x00007FF6F4464000-memory.dmp

Filesize
3.3MB

Download
memory/4048-149-0x00007FF7839D0000-0x00007FF783D24000-memory.dmp

Filesize
3.3MB

Download
memory/4048-134-0x00007FF7839D0000-0x00007FF783D24000-memory.dmp

Filesize
3.3MB

Download
memory/4048-91-0x00007FF7839D0000-0x00007FF783D24000-memory.dmp

Filesize
3.3MB

Download
memory/4104-147-0x00007FF65ACB0000-0x00007FF65B004000-memory.dmp

Filesize
3.3MB

Download
memory/4104-87-0x00007FF65ACB0000-0x00007FF65B004000-memory.dmp

Filesize
3.3MB

Download
memory/4380-120-0x00007FF6D40A0000-0x00007FF6D43F4000-memory.dmp

Filesize
3.3MB

Download
memory/4380-143-0x00007FF6D40A0000-0x00007FF6D43F4000-memory.dmp

Filesize
3.3MB

Download
memory/4380-56-0x00007FF6D40A0000-0x00007FF6D43F4000-memory.dmp

Filesize
3.3MB

Download
memory/4540-68-0x00007FF798CF0000-0x00007FF799044000-memory.dmp

Filesize
3.3MB

Download
memory/4540-144-0x00007FF798CF0000-0x00007FF799044000-memory.dmp

Filesize
3.3MB

Download
memory/4544-138-0x00007FF7B0AF0000-0x00007FF7B0E44000-memory.dmp

Filesize
3.3MB

Download
memory/4544-31-0x00007FF7B0AF0000-0x00007FF7B0E44000-memory.dmp

Filesize
3.3MB

Download
memory/4584-69-0x00007FF756E40000-0x00007FF757194000-memory.dmp

Filesize
3.3MB

Download
memory/4584-135-0x00007FF756E40000-0x00007FF757194000-memory.dmp

Filesize
3.3MB

Download
memory/4584-8-0x00007FF756E40000-0x00007FF757194000-memory.dmp

Filesize
3.3MB

Download
memory/4916-151-0x00007FF6E8DF0000-0x00007FF6E9144000-memory.dmp

Filesize
3.3MB

Download
memory/4916-111-0x00007FF6E8DF0000-0x00007FF6E9144000-memory.dmp

Filesize
3.3MB

Download