cobaltstrike | d36e2dd9ca091d8b9e5e3e60c380bf1531c07f6acd55d656fafe856faae0addb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 06:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

375fe54900829ab58bd8d72e92bcd186
SHA1

27530d6c79be5133cca0cd7147dc390bd245ab66
SHA256

d36e2dd9ca091d8b9e5e3e60c380bf1531c07f6acd55d656fafe856faae0addb
SHA512

998b022f03622974d2d3001c4191fc5a27bb44aefc0a6074df548e7bdd16afe7d6df3d77b9259413a961d170a94492d9738ce111a84b4637c1bbb675131b493e
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUr:Q+856utgpPF8u/7r

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000233ce-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d3-9.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d2-12.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d4-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d5-30.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d6-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d7-40.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d9-51.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233db-61.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233dc-65.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233dd-69.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233de-76.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233e1-88.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233e3-104.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233e5-110.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233e4-108.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233e2-98.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233e0-89.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233df-81.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233da-56.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d8-49.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233ce-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d3-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d2-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d4-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d5-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d6-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d7-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d9-51.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233db-61.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233dc-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233dd-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233de-76.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233e1-88.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233e3-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233e5-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233e4-108.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233e2-98.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233e0-89.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233df-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233da-56.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d8-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4348-0-0x00007FF6D9370000-0x00007FF6D96C4000-memory.dmp	UPX
behavioral2/files/0x00080000000233ce-4.dat	UPX
behavioral2/files/0x00070000000233d3-9.dat	UPX
behavioral2/files/0x00070000000233d2-12.dat	UPX
behavioral2/files/0x00070000000233d4-23.dat	UPX
behavioral2/files/0x00070000000233d5-30.dat	UPX
behavioral2/files/0x00070000000233d6-35.dat	UPX
behavioral2/files/0x00070000000233d7-40.dat	UPX
behavioral2/files/0x00070000000233d9-51.dat	UPX
behavioral2/files/0x00070000000233db-61.dat	UPX
behavioral2/files/0x00070000000233dc-65.dat	UPX
behavioral2/files/0x00070000000233dd-69.dat	UPX
behavioral2/files/0x00070000000233de-76.dat	UPX
behavioral2/files/0x00070000000233e1-88.dat	UPX
behavioral2/files/0x00070000000233e3-104.dat	UPX
behavioral2/files/0x00070000000233e5-110.dat	UPX
behavioral2/files/0x00070000000233e4-108.dat	UPX
behavioral2/files/0x00070000000233e2-98.dat	UPX
behavioral2/files/0x00070000000233e0-89.dat	UPX
behavioral2/files/0x00070000000233df-81.dat	UPX
behavioral2/files/0x00070000000233da-56.dat	UPX
behavioral2/files/0x00070000000233d8-49.dat	UPX
behavioral2/memory/768-33-0x00007FF6E60C0000-0x00007FF6E6414000-memory.dmp	UPX
behavioral2/memory/5084-26-0x00007FF63CDD0000-0x00007FF63D124000-memory.dmp	UPX
behavioral2/memory/4388-25-0x00007FF641380000-0x00007FF6416D4000-memory.dmp	UPX
behavioral2/memory/688-19-0x00007FF666440000-0x00007FF666794000-memory.dmp	UPX
behavioral2/memory/1624-10-0x00007FF7A70A0000-0x00007FF7A73F4000-memory.dmp	UPX
behavioral2/memory/1108-112-0x00007FF6B5B60000-0x00007FF6B5EB4000-memory.dmp	UPX
behavioral2/memory/1016-114-0x00007FF713500000-0x00007FF713854000-memory.dmp	UPX
behavioral2/memory/4864-113-0x00007FF7C1A80000-0x00007FF7C1DD4000-memory.dmp	UPX
behavioral2/memory/3424-115-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp	UPX
behavioral2/memory/2024-116-0x00007FF666E00000-0x00007FF667154000-memory.dmp	UPX
behavioral2/memory/2020-118-0x00007FF631F20000-0x00007FF632274000-memory.dmp	UPX
behavioral2/memory/4492-117-0x00007FF63FA70000-0x00007FF63FDC4000-memory.dmp	UPX
behavioral2/memory/744-119-0x00007FF7B72B0000-0x00007FF7B7604000-memory.dmp	UPX
behavioral2/memory/4384-120-0x00007FF6F4E80000-0x00007FF6F51D4000-memory.dmp	UPX
behavioral2/memory/2244-121-0x00007FF7A13D0000-0x00007FF7A1724000-memory.dmp	UPX
behavioral2/memory/4956-122-0x00007FF6A4E90000-0x00007FF6A51E4000-memory.dmp	UPX
behavioral2/memory/1532-124-0x00007FF60B540000-0x00007FF60B894000-memory.dmp	UPX
behavioral2/memory/5076-125-0x00007FF725E80000-0x00007FF7261D4000-memory.dmp	UPX
behavioral2/memory/1156-126-0x00007FF7E2610000-0x00007FF7E2964000-memory.dmp	UPX
behavioral2/memory/4652-127-0x00007FF600B20000-0x00007FF600E74000-memory.dmp	UPX
behavioral2/memory/3836-123-0x00007FF7A9450000-0x00007FF7A97A4000-memory.dmp	UPX
behavioral2/memory/4348-128-0x00007FF6D9370000-0x00007FF6D96C4000-memory.dmp	UPX
behavioral2/memory/1624-129-0x00007FF7A70A0000-0x00007FF7A73F4000-memory.dmp	UPX
behavioral2/memory/688-130-0x00007FF666440000-0x00007FF666794000-memory.dmp	UPX
behavioral2/memory/4388-131-0x00007FF641380000-0x00007FF6416D4000-memory.dmp	UPX
behavioral2/memory/5084-132-0x00007FF63CDD0000-0x00007FF63D124000-memory.dmp	UPX
behavioral2/memory/768-133-0x00007FF6E60C0000-0x00007FF6E6414000-memory.dmp	UPX
behavioral2/memory/1108-134-0x00007FF6B5B60000-0x00007FF6B5EB4000-memory.dmp	UPX
behavioral2/memory/4864-135-0x00007FF7C1A80000-0x00007FF7C1DD4000-memory.dmp	UPX
behavioral2/memory/1016-136-0x00007FF713500000-0x00007FF713854000-memory.dmp	UPX
behavioral2/memory/3424-137-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp	UPX
behavioral2/memory/4492-139-0x00007FF63FA70000-0x00007FF63FDC4000-memory.dmp	UPX
behavioral2/memory/2024-138-0x00007FF666E00000-0x00007FF667154000-memory.dmp	UPX
behavioral2/memory/2020-140-0x00007FF631F20000-0x00007FF632274000-memory.dmp	UPX
behavioral2/memory/744-143-0x00007FF7B72B0000-0x00007FF7B7604000-memory.dmp	UPX
behavioral2/memory/4956-144-0x00007FF6A4E90000-0x00007FF6A51E4000-memory.dmp	UPX
behavioral2/memory/4384-142-0x00007FF6F4E80000-0x00007FF6F51D4000-memory.dmp	UPX
behavioral2/memory/2244-141-0x00007FF7A13D0000-0x00007FF7A1724000-memory.dmp	UPX
behavioral2/memory/4652-145-0x00007FF600B20000-0x00007FF600E74000-memory.dmp	UPX
behavioral2/memory/3836-148-0x00007FF7A9450000-0x00007FF7A97A4000-memory.dmp	UPX
behavioral2/memory/1532-147-0x00007FF60B540000-0x00007FF60B894000-memory.dmp	UPX
behavioral2/memory/5076-146-0x00007FF725E80000-0x00007FF7261D4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4348-0-0x00007FF6D9370000-0x00007FF6D96C4000-memory.dmp	xmrig
behavioral2/files/0x00080000000233ce-4.dat	xmrig
behavioral2/files/0x00070000000233d3-9.dat	xmrig
behavioral2/files/0x00070000000233d2-12.dat	xmrig
behavioral2/files/0x00070000000233d4-23.dat	xmrig
behavioral2/files/0x00070000000233d5-30.dat	xmrig
behavioral2/files/0x00070000000233d6-35.dat	xmrig
behavioral2/files/0x00070000000233d7-40.dat	xmrig
behavioral2/files/0x00070000000233d9-51.dat	xmrig
behavioral2/files/0x00070000000233db-61.dat	xmrig
behavioral2/files/0x00070000000233dc-65.dat	xmrig
behavioral2/files/0x00070000000233dd-69.dat	xmrig
behavioral2/files/0x00070000000233de-76.dat	xmrig
behavioral2/files/0x00070000000233e1-88.dat	xmrig
behavioral2/files/0x00070000000233e3-104.dat	xmrig
behavioral2/files/0x00070000000233e5-110.dat	xmrig
behavioral2/files/0x00070000000233e4-108.dat	xmrig
behavioral2/files/0x00070000000233e2-98.dat	xmrig
behavioral2/files/0x00070000000233e0-89.dat	xmrig
behavioral2/files/0x00070000000233df-81.dat	xmrig
behavioral2/files/0x00070000000233da-56.dat	xmrig
behavioral2/files/0x00070000000233d8-49.dat	xmrig
behavioral2/memory/768-33-0x00007FF6E60C0000-0x00007FF6E6414000-memory.dmp	xmrig
behavioral2/memory/5084-26-0x00007FF63CDD0000-0x00007FF63D124000-memory.dmp	xmrig
behavioral2/memory/4388-25-0x00007FF641380000-0x00007FF6416D4000-memory.dmp	xmrig
behavioral2/memory/688-19-0x00007FF666440000-0x00007FF666794000-memory.dmp	xmrig
behavioral2/memory/1624-10-0x00007FF7A70A0000-0x00007FF7A73F4000-memory.dmp	xmrig
behavioral2/memory/1108-112-0x00007FF6B5B60000-0x00007FF6B5EB4000-memory.dmp	xmrig
behavioral2/memory/1016-114-0x00007FF713500000-0x00007FF713854000-memory.dmp	xmrig
behavioral2/memory/4864-113-0x00007FF7C1A80000-0x00007FF7C1DD4000-memory.dmp	xmrig
behavioral2/memory/3424-115-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp	xmrig
behavioral2/memory/2024-116-0x00007FF666E00000-0x00007FF667154000-memory.dmp	xmrig
behavioral2/memory/2020-118-0x00007FF631F20000-0x00007FF632274000-memory.dmp	xmrig
behavioral2/memory/4492-117-0x00007FF63FA70000-0x00007FF63FDC4000-memory.dmp	xmrig
behavioral2/memory/744-119-0x00007FF7B72B0000-0x00007FF7B7604000-memory.dmp	xmrig
behavioral2/memory/4384-120-0x00007FF6F4E80000-0x00007FF6F51D4000-memory.dmp	xmrig
behavioral2/memory/2244-121-0x00007FF7A13D0000-0x00007FF7A1724000-memory.dmp	xmrig
behavioral2/memory/4956-122-0x00007FF6A4E90000-0x00007FF6A51E4000-memory.dmp	xmrig
behavioral2/memory/1532-124-0x00007FF60B540000-0x00007FF60B894000-memory.dmp	xmrig
behavioral2/memory/5076-125-0x00007FF725E80000-0x00007FF7261D4000-memory.dmp	xmrig
behavioral2/memory/1156-126-0x00007FF7E2610000-0x00007FF7E2964000-memory.dmp	xmrig
behavioral2/memory/4652-127-0x00007FF600B20000-0x00007FF600E74000-memory.dmp	xmrig
behavioral2/memory/3836-123-0x00007FF7A9450000-0x00007FF7A97A4000-memory.dmp	xmrig
behavioral2/memory/4348-128-0x00007FF6D9370000-0x00007FF6D96C4000-memory.dmp	xmrig
behavioral2/memory/1624-129-0x00007FF7A70A0000-0x00007FF7A73F4000-memory.dmp	xmrig
behavioral2/memory/688-130-0x00007FF666440000-0x00007FF666794000-memory.dmp	xmrig
behavioral2/memory/4388-131-0x00007FF641380000-0x00007FF6416D4000-memory.dmp	xmrig
behavioral2/memory/5084-132-0x00007FF63CDD0000-0x00007FF63D124000-memory.dmp	xmrig
behavioral2/memory/768-133-0x00007FF6E60C0000-0x00007FF6E6414000-memory.dmp	xmrig
behavioral2/memory/1108-134-0x00007FF6B5B60000-0x00007FF6B5EB4000-memory.dmp	xmrig
behavioral2/memory/4864-135-0x00007FF7C1A80000-0x00007FF7C1DD4000-memory.dmp	xmrig
behavioral2/memory/1016-136-0x00007FF713500000-0x00007FF713854000-memory.dmp	xmrig
behavioral2/memory/3424-137-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp	xmrig
behavioral2/memory/4492-139-0x00007FF63FA70000-0x00007FF63FDC4000-memory.dmp	xmrig
behavioral2/memory/2024-138-0x00007FF666E00000-0x00007FF667154000-memory.dmp	xmrig
behavioral2/memory/2020-140-0x00007FF631F20000-0x00007FF632274000-memory.dmp	xmrig
behavioral2/memory/744-143-0x00007FF7B72B0000-0x00007FF7B7604000-memory.dmp	xmrig
behavioral2/memory/4956-144-0x00007FF6A4E90000-0x00007FF6A51E4000-memory.dmp	xmrig
behavioral2/memory/4384-142-0x00007FF6F4E80000-0x00007FF6F51D4000-memory.dmp	xmrig
behavioral2/memory/2244-141-0x00007FF7A13D0000-0x00007FF7A1724000-memory.dmp	xmrig
behavioral2/memory/4652-145-0x00007FF600B20000-0x00007FF600E74000-memory.dmp	xmrig
behavioral2/memory/3836-148-0x00007FF7A9450000-0x00007FF7A97A4000-memory.dmp	xmrig
behavioral2/memory/1532-147-0x00007FF60B540000-0x00007FF60B894000-memory.dmp	xmrig
behavioral2/memory/5076-146-0x00007FF725E80000-0x00007FF7261D4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1624	uKZvHuR.exe
688	bYfRfxf.exe
4388	yObrscy.exe
5084	hfeZSwZ.exe
768	WctOEwR.exe
1108	YGfbQAf.exe
4864	SHEcGEU.exe
1016	iSjYXSt.exe
3424	cLEdksm.exe
2024	GKrHfsl.exe
4492	vEoMqIp.exe
2020	uFgmuyb.exe
744	IPBTsvC.exe
4384	ONGJtlg.exe
2244	FGCgkpW.exe
4956	JNQrkkC.exe
3836	sTzUWlR.exe
1532	iQMPjCI.exe
5076	XdVRsVs.exe
1156	GhNyTZc.exe
4652	nMjMpjV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4348-0-0x00007FF6D9370000-0x00007FF6D96C4000-memory.dmp	upx
behavioral2/files/0x00080000000233ce-4.dat	upx
behavioral2/files/0x00070000000233d3-9.dat	upx
behavioral2/files/0x00070000000233d2-12.dat	upx
behavioral2/files/0x00070000000233d4-23.dat	upx
behavioral2/files/0x00070000000233d5-30.dat	upx
behavioral2/files/0x00070000000233d6-35.dat	upx
behavioral2/files/0x00070000000233d7-40.dat	upx
behavioral2/files/0x00070000000233d9-51.dat	upx
behavioral2/files/0x00070000000233db-61.dat	upx
behavioral2/files/0x00070000000233dc-65.dat	upx
behavioral2/files/0x00070000000233dd-69.dat	upx
behavioral2/files/0x00070000000233de-76.dat	upx
behavioral2/files/0x00070000000233e1-88.dat	upx
behavioral2/files/0x00070000000233e3-104.dat	upx
behavioral2/files/0x00070000000233e5-110.dat	upx
behavioral2/files/0x00070000000233e4-108.dat	upx
behavioral2/files/0x00070000000233e2-98.dat	upx
behavioral2/files/0x00070000000233e0-89.dat	upx
behavioral2/files/0x00070000000233df-81.dat	upx
behavioral2/files/0x00070000000233da-56.dat	upx
behavioral2/files/0x00070000000233d8-49.dat	upx
behavioral2/memory/768-33-0x00007FF6E60C0000-0x00007FF6E6414000-memory.dmp	upx
behavioral2/memory/5084-26-0x00007FF63CDD0000-0x00007FF63D124000-memory.dmp	upx
behavioral2/memory/4388-25-0x00007FF641380000-0x00007FF6416D4000-memory.dmp	upx
behavioral2/memory/688-19-0x00007FF666440000-0x00007FF666794000-memory.dmp	upx
behavioral2/memory/1624-10-0x00007FF7A70A0000-0x00007FF7A73F4000-memory.dmp	upx
behavioral2/memory/1108-112-0x00007FF6B5B60000-0x00007FF6B5EB4000-memory.dmp	upx
behavioral2/memory/1016-114-0x00007FF713500000-0x00007FF713854000-memory.dmp	upx
behavioral2/memory/4864-113-0x00007FF7C1A80000-0x00007FF7C1DD4000-memory.dmp	upx
behavioral2/memory/3424-115-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp	upx
behavioral2/memory/2024-116-0x00007FF666E00000-0x00007FF667154000-memory.dmp	upx
behavioral2/memory/2020-118-0x00007FF631F20000-0x00007FF632274000-memory.dmp	upx
behavioral2/memory/4492-117-0x00007FF63FA70000-0x00007FF63FDC4000-memory.dmp	upx
behavioral2/memory/744-119-0x00007FF7B72B0000-0x00007FF7B7604000-memory.dmp	upx
behavioral2/memory/4384-120-0x00007FF6F4E80000-0x00007FF6F51D4000-memory.dmp	upx
behavioral2/memory/2244-121-0x00007FF7A13D0000-0x00007FF7A1724000-memory.dmp	upx
behavioral2/memory/4956-122-0x00007FF6A4E90000-0x00007FF6A51E4000-memory.dmp	upx
behavioral2/memory/1532-124-0x00007FF60B540000-0x00007FF60B894000-memory.dmp	upx
behavioral2/memory/5076-125-0x00007FF725E80000-0x00007FF7261D4000-memory.dmp	upx
behavioral2/memory/1156-126-0x00007FF7E2610000-0x00007FF7E2964000-memory.dmp	upx
behavioral2/memory/4652-127-0x00007FF600B20000-0x00007FF600E74000-memory.dmp	upx
behavioral2/memory/3836-123-0x00007FF7A9450000-0x00007FF7A97A4000-memory.dmp	upx
behavioral2/memory/4348-128-0x00007FF6D9370000-0x00007FF6D96C4000-memory.dmp	upx
behavioral2/memory/1624-129-0x00007FF7A70A0000-0x00007FF7A73F4000-memory.dmp	upx
behavioral2/memory/688-130-0x00007FF666440000-0x00007FF666794000-memory.dmp	upx
behavioral2/memory/4388-131-0x00007FF641380000-0x00007FF6416D4000-memory.dmp	upx
behavioral2/memory/5084-132-0x00007FF63CDD0000-0x00007FF63D124000-memory.dmp	upx
behavioral2/memory/768-133-0x00007FF6E60C0000-0x00007FF6E6414000-memory.dmp	upx
behavioral2/memory/1108-134-0x00007FF6B5B60000-0x00007FF6B5EB4000-memory.dmp	upx
behavioral2/memory/4864-135-0x00007FF7C1A80000-0x00007FF7C1DD4000-memory.dmp	upx
behavioral2/memory/1016-136-0x00007FF713500000-0x00007FF713854000-memory.dmp	upx
behavioral2/memory/3424-137-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp	upx
behavioral2/memory/4492-139-0x00007FF63FA70000-0x00007FF63FDC4000-memory.dmp	upx
behavioral2/memory/2024-138-0x00007FF666E00000-0x00007FF667154000-memory.dmp	upx
behavioral2/memory/2020-140-0x00007FF631F20000-0x00007FF632274000-memory.dmp	upx
behavioral2/memory/744-143-0x00007FF7B72B0000-0x00007FF7B7604000-memory.dmp	upx
behavioral2/memory/4956-144-0x00007FF6A4E90000-0x00007FF6A51E4000-memory.dmp	upx
behavioral2/memory/4384-142-0x00007FF6F4E80000-0x00007FF6F51D4000-memory.dmp	upx
behavioral2/memory/2244-141-0x00007FF7A13D0000-0x00007FF7A1724000-memory.dmp	upx
behavioral2/memory/4652-145-0x00007FF600B20000-0x00007FF600E74000-memory.dmp	upx
behavioral2/memory/3836-148-0x00007FF7A9450000-0x00007FF7A97A4000-memory.dmp	upx
behavioral2/memory/1532-147-0x00007FF60B540000-0x00007FF60B894000-memory.dmp	upx
behavioral2/memory/5076-146-0x00007FF725E80000-0x00007FF7261D4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\FGCgkpW.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nMjMpjV.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YGfbQAf.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iSjYXSt.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GKrHfsl.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ONGJtlg.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hfeZSwZ.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uFgmuyb.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IPBTsvC.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WctOEwR.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cLEdksm.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JNQrkkC.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vEoMqIp.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sTzUWlR.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iQMPjCI.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XdVRsVs.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uKZvHuR.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bYfRfxf.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yObrscy.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SHEcGEU.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GhNyTZc.exe	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 1624	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	84
PID 4348 wrote to memory of 1624	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	84
PID 4348 wrote to memory of 688	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	85
PID 4348 wrote to memory of 688	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	85
PID 4348 wrote to memory of 4388	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	86
PID 4348 wrote to memory of 4388	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	86
PID 4348 wrote to memory of 5084	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	87
PID 4348 wrote to memory of 5084	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	87
PID 4348 wrote to memory of 768	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	88
PID 4348 wrote to memory of 768	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	88
PID 4348 wrote to memory of 1108	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	89
PID 4348 wrote to memory of 1108	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	89
PID 4348 wrote to memory of 4864	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	90
PID 4348 wrote to memory of 4864	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	90
PID 4348 wrote to memory of 1016	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	91
PID 4348 wrote to memory of 1016	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	91
PID 4348 wrote to memory of 3424	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	92
PID 4348 wrote to memory of 3424	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	92
PID 4348 wrote to memory of 2024	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	93
PID 4348 wrote to memory of 2024	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	93
PID 4348 wrote to memory of 4492	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	94
PID 4348 wrote to memory of 4492	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	94
PID 4348 wrote to memory of 2020	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	95
PID 4348 wrote to memory of 2020	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	95
PID 4348 wrote to memory of 744	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	96
PID 4348 wrote to memory of 744	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	96
PID 4348 wrote to memory of 4384	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	97
PID 4348 wrote to memory of 4384	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	97
PID 4348 wrote to memory of 2244	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	98
PID 4348 wrote to memory of 2244	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	98
PID 4348 wrote to memory of 4956	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	99
PID 4348 wrote to memory of 4956	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	99
PID 4348 wrote to memory of 3836	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	100
PID 4348 wrote to memory of 3836	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	100
PID 4348 wrote to memory of 1532	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	101
PID 4348 wrote to memory of 1532	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	101
PID 4348 wrote to memory of 5076	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	102
PID 4348 wrote to memory of 5076	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	102
PID 4348 wrote to memory of 1156	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	103
PID 4348 wrote to memory of 1156	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	103
PID 4348 wrote to memory of 4652	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	104
PID 4348 wrote to memory of 4652	4348	2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_375fe54900829ab58bd8d72e92bcd186_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\System\uKZvHuR.exe
  C:\Windows\System\uKZvHuR.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\bYfRfxf.exe
  C:\Windows\System\bYfRfxf.exe
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Windows\System\yObrscy.exe
  C:\Windows\System\yObrscy.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\hfeZSwZ.exe
  C:\Windows\System\hfeZSwZ.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\WctOEwR.exe
  C:\Windows\System\WctOEwR.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System\YGfbQAf.exe
  C:\Windows\System\YGfbQAf.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\SHEcGEU.exe
  C:\Windows\System\SHEcGEU.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\iSjYXSt.exe
  C:\Windows\System\iSjYXSt.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System\cLEdksm.exe
  C:\Windows\System\cLEdksm.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\GKrHfsl.exe
  C:\Windows\System\GKrHfsl.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System\vEoMqIp.exe
  C:\Windows\System\vEoMqIp.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\uFgmuyb.exe
  C:\Windows\System\uFgmuyb.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\IPBTsvC.exe
  C:\Windows\System\IPBTsvC.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System\ONGJtlg.exe
  C:\Windows\System\ONGJtlg.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\FGCgkpW.exe
  C:\Windows\System\FGCgkpW.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\JNQrkkC.exe
  C:\Windows\System\JNQrkkC.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\sTzUWlR.exe
  C:\Windows\System\sTzUWlR.exe
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\System\iQMPjCI.exe
  C:\Windows\System\iQMPjCI.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\XdVRsVs.exe
  C:\Windows\System\XdVRsVs.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\GhNyTZc.exe
  C:\Windows\System\GhNyTZc.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\nMjMpjV.exe
  C:\Windows\System\nMjMpjV.exe
  2⤵
  - Executes dropped EXE
  PID:4652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FGCgkpW.exe

Filesize
5.9MB

MD5
34f84c23abefda00ee796a535bec5d21

SHA1
4a23d2b042db26392e6e78c2a02697404639e3ca

SHA256
92aacffad523b7c81956de2e26ea88454efe92ffafb510cac2e19d57c77f75ce

SHA512
40167337d3badff7ddcd09ee8059b79e2e9a0afc9ecfd61dd2070e4801c03e480a7ce17e03a208dd8aa46253281bc02847b12001da8db69e4d2486e0b96ca11b

Download Submit
C:\Windows\System\GKrHfsl.exe

Filesize
5.9MB

MD5
320d0b4d8877e3bea3e1d0e45bd4bb69

SHA1
4505a5d1de6ccbc8d0a286a8d53f8efd48cd9393

SHA256
e9d549846af7e3151801479ae0c37c81f13c64c7ffcc2386c4e29205a8e57f95

SHA512
8c36011f328e06e07ca80b8ef04b38a673ce27facdf86d94f57c9d2b4a429917bc37a145bff1a7e2cb53aabe632393f2c7e046381636122ce740ad562a980a8d

Download Submit
C:\Windows\System\GhNyTZc.exe

Filesize
5.9MB

MD5
aa5bee9658835d7db0d8115de8d103c0

SHA1
79d97ca0d2ddfa561d554e306ee9f83571519e30

SHA256
87a6d5c8f27838078b759123685d0859c6c1d3f1d36a6643ec791df2c14e3ed5

SHA512
53538ef8c9ec2ef8caee1d94068ac53bd71fa40f5670af8fd5881fa4d66ac2576356c192ae8f586e4319c5107f59c013f2b6a6631220a4edd892b8b5d3c1061a

Download Submit
C:\Windows\System\IPBTsvC.exe

Filesize
5.9MB

MD5
5effb4a49371f23eee88e70da4234a81

SHA1
17a26e1f9c6d267681f2cccb2506c780353959ff

SHA256
86f51e6d68ef23dff74f246acaf69ced1ad4d150142967febc005539b9a3305c

SHA512
c93d2bba5d849c7acb2299bb40bd3e7f84029d8518c3cd9768efac2744247fdc20bd9ed5b184e2ca59c136e9a9db9d63a6bc3797cfe5aa53a4ac83887b36883e

Download Submit
C:\Windows\System\JNQrkkC.exe

Filesize
5.9MB

MD5
3f3d196a232c194df4c18b850ee39893

SHA1
86a84d89d6ff3bad3f3437b487f853e386229f1a

SHA256
ed62d92d9da77280fdefa709073f4345b6140289a70e998ccc18cb80aa481f51

SHA512
8a849ff2ba47f85ec32195841079803044e70c87bab569ee169c2cf29bb6995fc0614dad460b354d39b8c99232aa65ad38f9842090f2a4b2032108bac9abd5a0

Download Submit
C:\Windows\System\ONGJtlg.exe

Filesize
5.9MB

MD5
d1d1b57d7118702d4b0bdc90d934b525

SHA1
223ae7d2bf84bc0959dfe89eb7153b757c9ec3ae

SHA256
0005cbed3e2a4aea7eb380e43f7eceac747e6cf1b9176884fc0c482b6d8d290a

SHA512
937f0e022c895ff9c40db94e93b9ebcd03a5adc15080b1171d3ea0ea5b83a12f1e8fd6368245c8ca39006545b9cf9cae74acb3487920c2166e24e4ae7542a972

Download Submit
C:\Windows\System\SHEcGEU.exe

Filesize
5.9MB

MD5
6f03e858cdd6cded2085152ddc7bdd1f

SHA1
5c89148845221abe6775d1671b550dfb6f8b492a

SHA256
161cdd8727fd4cfb879ee44d006528c5e78029451c1ec21397612f02ce94b96a

SHA512
ac30a8a60580d79f3eb75b345d14e37c1b9ca3bc455bb9884a77a50b8805c12d46c0c98192d8d3c8f70ec8f1eefa23aa269c709987d7c013b1531ca69f9a1cb1

Download Submit
C:\Windows\System\WctOEwR.exe

Filesize
5.9MB

MD5
bd40489219f701f978fdfda3c667d802

SHA1
7e56a5fa79b9a50d22514ed23de302295de9d8d2

SHA256
5255c20aad4681c7fa537df73dc022855fb60b7ba16c24f12a2489e96a4de366

SHA512
eff9db994b48612703389fbc3d8a9de12183842ce2e9d9fdfc6dea0463197bf5628aca94ce2d24e92055e349dc79373da281093e029303ff5845da1e8b5d2244

Download Submit
C:\Windows\System\XdVRsVs.exe

Filesize
5.9MB

MD5
b89ea1ef2fc1b9d26307996d3e1686bc

SHA1
032539d47225ec90a785acf7a2b505e3952681ff

SHA256
e4379fdfd7076e9007aa2d3029885e8116ac58da0875b74547deb0f16d56394e

SHA512
c6cc0d210ab849abd62b35bb56cb3aeea24ca6d6e8716b20d6408b8be6d0d1d027a6ae411f1cb7baa21186ff8b12a304c36ef5c270874a2a081810f79560d088

Download Submit
C:\Windows\System\YGfbQAf.exe

Filesize
5.9MB

MD5
bde60cc35cf5b14cf7912100918c911c

SHA1
b9ab1a81fbcdfccca66f4b0446180ccae63e6cbf

SHA256
d49b206f9ef943847d60ed6270b5146b3fa183acec3ca41cfa5db3f69e5f8c52

SHA512
54d5def7609e5b0cd186b45636d27c472e7d14c534afce47a4617c8b8e2fad3622c676a96a76aaf8ce71050d73dbf3bbc191cd1288e1c3ad50971480389e36cd

Download Submit
C:\Windows\System\bYfRfxf.exe

Filesize
5.9MB

MD5
b7a673d7ce17f9feefccd1f7650d7eab

SHA1
8f71fd11e16e22a4551283ce99338f1e7fcc1ba8

SHA256
d8805d4a15fcccd571fa23a9400413e3e5f712b5d9c7b6f44d59bace1cb2661e

SHA512
cc6b4704d1bbd8328566a33ff323768179feca2fbfb5ae711d9f8779ad5dcc9cb3d4c3e750b215495fb0fbf42c1300909c539f3fc71aec23ab7b7df6d8ec1fa6

Download Submit
C:\Windows\System\cLEdksm.exe

Filesize
5.9MB

MD5
0601a3d754150983e1aa4a8812996c5b

SHA1
118bc75a211b845d1a5056ad3842571210a437e4

SHA256
1ad782cceae08c65ac13bde0c4ac25a7f95b8d060481a3dbd5a9e89d1e43ef51

SHA512
e47a9fe5a7defc03aff64b6180ed888cb52a6f0af8c89e28798e659386fc509bf87f29c032f7574e1ee6c07994c3ef38fe4cc495bbf1606b1b7262e7c83d9217

Download Submit
C:\Windows\System\hfeZSwZ.exe

Filesize
5.9MB

MD5
c44e99853429f8aaa335dc2d5d1503ce

SHA1
800f750bfa456704541a55f2cc5eb687dff0626c

SHA256
a9d8d84dafde1917335c55723137407b9b77e4820aa9c0d6b865617cba94d1ea

SHA512
4ab1ccfa660ddd4ebc93a21739a7c6d5b86b427c43c4507b4b8de52e81f5976920921587b02ed857c5c491668e829b6c21782e693c5a5bfc881db05c29ac220a

Download Submit
C:\Windows\System\iQMPjCI.exe

Filesize
5.9MB

MD5
b071cfe9300fbb425373d49e3cde91dc

SHA1
22f5d423463a4ccb9daa06d5d4973e4e21cab40c

SHA256
559332b0a19a2dd8398e59a76faa7204cbf301a294f2d9501e7744b8238bab3e

SHA512
2ac409fd1dd1c1b0b2ecdcef8c542f15ee24f95d0880862060224f5a24278476838998755059af6e9ee631336d1f624a5263603438e71c5c356c3c3392dced09

Download Submit
C:\Windows\System\iSjYXSt.exe

Filesize
5.9MB

MD5
180e856586a517e3b9c26d4ca60d69bb

SHA1
d9163b61c17941e0cda056d2622d7380bda48dd1

SHA256
f01c04ff2124d2e539b02314fc534b0bf5d7e4a75975dfa5f986e0866ca7ef13

SHA512
73721326fd3728549c56a1907950289827ddb8c69a027aa6829b634d399264e52d6491d78b69480d9b2820e92f73de1729becbe924ea2a56dbc478ef928fd8a0

Download Submit
C:\Windows\System\nMjMpjV.exe

Filesize
5.9MB

MD5
f28f7aaf5a1008aab2d26aa2dec28a7e

SHA1
91e79987c6635ca1a561ec4292d3941db7cd63e3

SHA256
ca77d0ef1c2323b5636aa0599955399a365767ad22d69a1ea84f1e52f0142d90

SHA512
9406f99165e0e05d4b4d71c916efcfd058b5af9a6e0a9925cae530231b651cd299a3102336f4b385f2f457057dc4917fc24d8f3380888c2030be30efc63d2526

Download Submit
C:\Windows\System\sTzUWlR.exe

Filesize
5.9MB

MD5
dc287d2b224f43babd0ed25f75d555fe

SHA1
29ec4bee30537a2b7d115fe8b0f5864442c834b7

SHA256
bbae0a0866b3dff31e440e6f41385a54ac034660ef38059b6df1cf5d37d11a2f

SHA512
558a0ff3e7fe8df9181306a80deb0cd456c37c0ce93607caf4f21fffe798611d4e0ab2b2499246fd6a17b2bb4573f25fec044856d8782470745ad7ce316afef2

Download Submit
C:\Windows\System\uFgmuyb.exe

Filesize
5.9MB

MD5
a552c236162b4288c7e63fc7c3bdb6b6

SHA1
fbc968f275bd10a61c0dc0c93eeeec37eda39d49

SHA256
c7aa044a9591bc6434a17f8740c743416c1200c68961c870e0aa9dfbe69d2073

SHA512
07af653aaf9eca032f1deeb5e264e6abf1a0b18c7066b3211d7cd90d24b45276fd8e9cd6722c6c23e53e951378a7e20f228bf5af86992451207bfea01093b01a

Download Submit
C:\Windows\System\uKZvHuR.exe

Filesize
5.9MB

MD5
fd88a2bbe83a3d1e2046ac9adf80852a

SHA1
db9b2683313d9ef15fac9213942f3cdf0f1e2d33

SHA256
74ad716ef3ba645aae26794d1350d6e223beeb8d09362f1393f3a4d4a8756b5a

SHA512
76c778d233d371350abe070b7f6f37fff7484d3f6a1dbfced19df35d468dcdb8d13ed96f656d798f064dab7e9826d5a92ec4b550d89862afff009161893963f8

Download Submit
C:\Windows\System\vEoMqIp.exe

Filesize
5.9MB

MD5
f39c5430872ed76df6a333043e350118

SHA1
a77bf658911d56293b471af99126bd48ceea43bb

SHA256
2812b6bbe823d5a5a78ab888e2cd87b6700f3425988cf1bb0e12e667aef8b5bd

SHA512
5dfad663844a6b1585361b4fd9a56331cc9b6a790aeaca4972ea57f6e4bea981da047bf0d80d98cf327d0ab229261ada34a3969677264412f30c6615c9952444

Download Submit
C:\Windows\System\yObrscy.exe

Filesize
5.9MB

MD5
488b3383dc7f6be1bf71ad631d3befa5

SHA1
8e54380533cfc5a15f4c329670146b3b3bbe0f6c

SHA256
5f43b78e0c4e3f8fabab239cd0efff5c378ba64598a7721acf3d3d794cf74614

SHA512
451a72a905d2779728976b3fe5528f23b12b41a9f43f1b71afbed89d7b3e1d47977c85457aea2df89df74d7c5a7958b5eb9da4ebf364f97ca36aa26b2d904920

Download Submit
memory/688-19-0x00007FF666440000-0x00007FF666794000-memory.dmp

Filesize
3.3MB

Download
memory/688-130-0x00007FF666440000-0x00007FF666794000-memory.dmp

Filesize
3.3MB

Download
memory/744-143-0x00007FF7B72B0000-0x00007FF7B7604000-memory.dmp

Filesize
3.3MB

Download
memory/744-119-0x00007FF7B72B0000-0x00007FF7B7604000-memory.dmp

Filesize
3.3MB

Download
memory/768-133-0x00007FF6E60C0000-0x00007FF6E6414000-memory.dmp

Filesize
3.3MB

Download
memory/768-33-0x00007FF6E60C0000-0x00007FF6E6414000-memory.dmp

Filesize
3.3MB

Download
memory/1016-114-0x00007FF713500000-0x00007FF713854000-memory.dmp

Filesize
3.3MB

Download
memory/1016-136-0x00007FF713500000-0x00007FF713854000-memory.dmp

Filesize
3.3MB

Download
memory/1108-112-0x00007FF6B5B60000-0x00007FF6B5EB4000-memory.dmp

Filesize
3.3MB

Download
memory/1108-134-0x00007FF6B5B60000-0x00007FF6B5EB4000-memory.dmp

Filesize
3.3MB

Download
memory/1156-126-0x00007FF7E2610000-0x00007FF7E2964000-memory.dmp

Filesize
3.3MB

Download
memory/1156-149-0x00007FF7E2610000-0x00007FF7E2964000-memory.dmp

Filesize
3.3MB

Download
memory/1532-124-0x00007FF60B540000-0x00007FF60B894000-memory.dmp

Filesize
3.3MB

Download
memory/1532-147-0x00007FF60B540000-0x00007FF60B894000-memory.dmp

Filesize
3.3MB

Download
memory/1624-10-0x00007FF7A70A0000-0x00007FF7A73F4000-memory.dmp

Filesize
3.3MB

Download
memory/1624-129-0x00007FF7A70A0000-0x00007FF7A73F4000-memory.dmp

Filesize
3.3MB

Download
memory/2020-118-0x00007FF631F20000-0x00007FF632274000-memory.dmp

Filesize
3.3MB

Download
memory/2020-140-0x00007FF631F20000-0x00007FF632274000-memory.dmp

Filesize
3.3MB

Download
memory/2024-116-0x00007FF666E00000-0x00007FF667154000-memory.dmp

Filesize
3.3MB

Download
memory/2024-138-0x00007FF666E00000-0x00007FF667154000-memory.dmp

Filesize
3.3MB

Download
memory/2244-121-0x00007FF7A13D0000-0x00007FF7A1724000-memory.dmp

Filesize
3.3MB

Download
memory/2244-141-0x00007FF7A13D0000-0x00007FF7A1724000-memory.dmp

Filesize
3.3MB

Download
memory/3424-137-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp

Filesize
3.3MB

Download
memory/3424-115-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp

Filesize
3.3MB

Download
memory/3836-148-0x00007FF7A9450000-0x00007FF7A97A4000-memory.dmp

Filesize
3.3MB

Download
memory/3836-123-0x00007FF7A9450000-0x00007FF7A97A4000-memory.dmp

Filesize
3.3MB

Download
memory/4348-0-0x00007FF6D9370000-0x00007FF6D96C4000-memory.dmp

Filesize
3.3MB

Download
memory/4348-1-0x000001F326080000-0x000001F326090000-memory.dmp

Filesize
64KB

Download
memory/4348-128-0x00007FF6D9370000-0x00007FF6D96C4000-memory.dmp

Filesize
3.3MB

Download
memory/4384-120-0x00007FF6F4E80000-0x00007FF6F51D4000-memory.dmp

Filesize
3.3MB

Download
memory/4384-142-0x00007FF6F4E80000-0x00007FF6F51D4000-memory.dmp

Filesize
3.3MB

Download
memory/4388-131-0x00007FF641380000-0x00007FF6416D4000-memory.dmp

Filesize
3.3MB

Download
memory/4388-25-0x00007FF641380000-0x00007FF6416D4000-memory.dmp

Filesize
3.3MB

Download
memory/4492-139-0x00007FF63FA70000-0x00007FF63FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/4492-117-0x00007FF63FA70000-0x00007FF63FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/4652-145-0x00007FF600B20000-0x00007FF600E74000-memory.dmp

Filesize
3.3MB

Download
memory/4652-127-0x00007FF600B20000-0x00007FF600E74000-memory.dmp

Filesize
3.3MB

Download
memory/4864-135-0x00007FF7C1A80000-0x00007FF7C1DD4000-memory.dmp

Filesize
3.3MB

Download
memory/4864-113-0x00007FF7C1A80000-0x00007FF7C1DD4000-memory.dmp

Filesize
3.3MB

Download
memory/4956-144-0x00007FF6A4E90000-0x00007FF6A51E4000-memory.dmp

Filesize
3.3MB

Download
memory/4956-122-0x00007FF6A4E90000-0x00007FF6A51E4000-memory.dmp

Filesize
3.3MB

Download
memory/5076-125-0x00007FF725E80000-0x00007FF7261D4000-memory.dmp

Filesize
3.3MB

Download
memory/5076-146-0x00007FF725E80000-0x00007FF7261D4000-memory.dmp

Filesize
3.3MB

Download
memory/5084-132-0x00007FF63CDD0000-0x00007FF63D124000-memory.dmp

Filesize
3.3MB

Download
memory/5084-26-0x00007FF63CDD0000-0x00007FF63D124000-memory.dmp

Filesize
3.3MB

Download