cobaltstrike | 6931c38c3fd5ea1cfd632c0c300d81e346294bc9d6fd131358ad5ad5750da7c4

Analysis

max time kernel
138s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

9939fa0286d6eec50d899d5064baf15d
SHA1

52486e6fd95040485b7329cf23d2991de318f6df
SHA256

6931c38c3fd5ea1cfd632c0c300d81e346294bc9d6fd131358ad5ad5750da7c4
SHA512

53a62703c37eded63ecfdc4e290a03a74bb48eeea3c8031e0d5303a1ca9e8fc1e50338a1afafab5513c078ee496ef62f9a089728bed77862d5f9955a3eb91572
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUH:T+856utgpPF8u/7H

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002342a-5.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002342d-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023432-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023438-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023439-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-44.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-65.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343b-74.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343c-82.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-92.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-107.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-100.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002342e-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023440-112.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000021f67-118.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023371-123.dat	cobalt_reflective_dll
behavioral2/files/0x001000000002337c-128.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x000800000002342a-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002342d-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023432-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023433-21.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023434-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023435-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023437-48.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023438-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023439-61.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023436-44.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343a-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343b-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343c-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343e-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343f-107.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343d-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002342e-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023440-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000a000000021f67-118.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000a000000023371-123.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x001000000002337c-128.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4336-0-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp	UPX
behavioral2/files/0x000800000002342a-5.dat	UPX
behavioral2/memory/1008-6-0x00007FF657700000-0x00007FF657A54000-memory.dmp	UPX
behavioral2/files/0x000800000002342d-11.dat	UPX
behavioral2/files/0x0007000000023432-10.dat	UPX
behavioral2/files/0x0007000000023433-21.dat	UPX
behavioral2/files/0x0007000000023434-28.dat	UPX
behavioral2/files/0x0007000000023435-39.dat	UPX
behavioral2/memory/4612-37-0x00007FF6A7450000-0x00007FF6A77A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023437-48.dat	UPX
behavioral2/files/0x0007000000023438-52.dat	UPX
behavioral2/files/0x0007000000023439-61.dat	UPX
behavioral2/memory/1432-60-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp	UPX
behavioral2/memory/2596-59-0x00007FF632CE0000-0x00007FF633034000-memory.dmp	UPX
behavioral2/memory/3644-55-0x00007FF7D71B0000-0x00007FF7D7504000-memory.dmp	UPX
behavioral2/files/0x0007000000023436-44.dat	UPX
behavioral2/memory/3188-43-0x00007FF700730000-0x00007FF700A84000-memory.dmp	UPX
behavioral2/memory/4212-41-0x00007FF798360000-0x00007FF7986B4000-memory.dmp	UPX
behavioral2/files/0x000700000002343a-65.dat	UPX
behavioral2/memory/4336-70-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp	UPX
behavioral2/files/0x000700000002343b-74.dat	UPX
behavioral2/files/0x000700000002343c-82.dat	UPX
behavioral2/memory/2932-83-0x00007FF7D4080000-0x00007FF7D43D4000-memory.dmp	UPX
behavioral2/files/0x000700000002343e-92.dat	UPX
behavioral2/memory/4848-87-0x00007FF7B08D0000-0x00007FF7B0C24000-memory.dmp	UPX
behavioral2/memory/2656-91-0x00007FF622AD0000-0x00007FF622E24000-memory.dmp	UPX
behavioral2/memory/228-105-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp	UPX
behavioral2/files/0x000700000002343f-107.dat	UPX
behavioral2/memory/4792-106-0x00007FF67F110000-0x00007FF67F464000-memory.dmp	UPX
behavioral2/memory/1660-104-0x00007FF7A9E00000-0x00007FF7AA154000-memory.dmp	UPX
behavioral2/files/0x000700000002343d-100.dat	UPX
behavioral2/memory/3884-98-0x00007FF67E610000-0x00007FF67E964000-memory.dmp	UPX
behavioral2/memory/1172-97-0x00007FF766BC0000-0x00007FF766F14000-memory.dmp	UPX
behavioral2/memory/1008-84-0x00007FF657700000-0x00007FF657A54000-memory.dmp	UPX
behavioral2/memory/2824-80-0x00007FF6C5C20000-0x00007FF6C5F74000-memory.dmp	UPX
behavioral2/files/0x000800000002342e-75.dat	UPX
behavioral2/memory/228-24-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp	UPX
behavioral2/memory/3884-20-0x00007FF67E610000-0x00007FF67E964000-memory.dmp	UPX
behavioral2/memory/4552-17-0x00007FF7CEDB0000-0x00007FF7CF104000-memory.dmp	UPX
behavioral2/files/0x0007000000023440-112.dat	UPX
behavioral2/memory/4212-114-0x00007FF798360000-0x00007FF7986B4000-memory.dmp	UPX
behavioral2/files/0x000a000000021f67-118.dat	UPX
behavioral2/files/0x000a000000023371-123.dat	UPX
behavioral2/memory/4732-122-0x00007FF7D7120000-0x00007FF7D7474000-memory.dmp	UPX
behavioral2/files/0x001000000002337c-128.dat	UPX
behavioral2/memory/364-130-0x00007FF7366D0000-0x00007FF736A24000-memory.dmp	UPX
behavioral2/memory/3188-131-0x00007FF700730000-0x00007FF700A84000-memory.dmp	UPX
behavioral2/memory/1208-132-0x00007FF72A070000-0x00007FF72A3C4000-memory.dmp	UPX
behavioral2/memory/2596-133-0x00007FF632CE0000-0x00007FF633034000-memory.dmp	UPX
behavioral2/memory/2364-134-0x00007FF7466F0000-0x00007FF746A44000-memory.dmp	UPX
behavioral2/memory/1432-135-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp	UPX
behavioral2/memory/2656-136-0x00007FF622AD0000-0x00007FF622E24000-memory.dmp	UPX
behavioral2/memory/1172-137-0x00007FF766BC0000-0x00007FF766F14000-memory.dmp	UPX
behavioral2/memory/4792-138-0x00007FF67F110000-0x00007FF67F464000-memory.dmp	UPX
behavioral2/memory/1008-139-0x00007FF657700000-0x00007FF657A54000-memory.dmp	UPX
behavioral2/memory/4552-140-0x00007FF7CEDB0000-0x00007FF7CF104000-memory.dmp	UPX
behavioral2/memory/3884-141-0x00007FF67E610000-0x00007FF67E964000-memory.dmp	UPX
behavioral2/memory/228-142-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp	UPX
behavioral2/memory/4612-143-0x00007FF6A7450000-0x00007FF6A77A4000-memory.dmp	UPX
behavioral2/memory/4212-144-0x00007FF798360000-0x00007FF7986B4000-memory.dmp	UPX
behavioral2/memory/3188-145-0x00007FF700730000-0x00007FF700A84000-memory.dmp	UPX
behavioral2/memory/3644-146-0x00007FF7D71B0000-0x00007FF7D7504000-memory.dmp	UPX
behavioral2/memory/2596-147-0x00007FF632CE0000-0x00007FF633034000-memory.dmp	UPX
behavioral2/memory/1432-148-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4336-0-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp	xmrig
behavioral2/files/0x000800000002342a-5.dat	xmrig
behavioral2/memory/1008-6-0x00007FF657700000-0x00007FF657A54000-memory.dmp	xmrig
behavioral2/files/0x000800000002342d-11.dat	xmrig
behavioral2/files/0x0007000000023432-10.dat	xmrig
behavioral2/files/0x0007000000023433-21.dat	xmrig
behavioral2/files/0x0007000000023434-28.dat	xmrig
behavioral2/files/0x0007000000023435-39.dat	xmrig
behavioral2/memory/4612-37-0x00007FF6A7450000-0x00007FF6A77A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023437-48.dat	xmrig
behavioral2/files/0x0007000000023438-52.dat	xmrig
behavioral2/files/0x0007000000023439-61.dat	xmrig
behavioral2/memory/1432-60-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp	xmrig
behavioral2/memory/2596-59-0x00007FF632CE0000-0x00007FF633034000-memory.dmp	xmrig
behavioral2/memory/3644-55-0x00007FF7D71B0000-0x00007FF7D7504000-memory.dmp	xmrig
behavioral2/files/0x0007000000023436-44.dat	xmrig
behavioral2/memory/3188-43-0x00007FF700730000-0x00007FF700A84000-memory.dmp	xmrig
behavioral2/memory/4212-41-0x00007FF798360000-0x00007FF7986B4000-memory.dmp	xmrig
behavioral2/files/0x000700000002343a-65.dat	xmrig
behavioral2/memory/4336-70-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp	xmrig
behavioral2/files/0x000700000002343b-74.dat	xmrig
behavioral2/files/0x000700000002343c-82.dat	xmrig
behavioral2/memory/2932-83-0x00007FF7D4080000-0x00007FF7D43D4000-memory.dmp	xmrig
behavioral2/files/0x000700000002343e-92.dat	xmrig
behavioral2/memory/4848-87-0x00007FF7B08D0000-0x00007FF7B0C24000-memory.dmp	xmrig
behavioral2/memory/2656-91-0x00007FF622AD0000-0x00007FF622E24000-memory.dmp	xmrig
behavioral2/memory/228-105-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp	xmrig
behavioral2/files/0x000700000002343f-107.dat	xmrig
behavioral2/memory/4792-106-0x00007FF67F110000-0x00007FF67F464000-memory.dmp	xmrig
behavioral2/memory/1660-104-0x00007FF7A9E00000-0x00007FF7AA154000-memory.dmp	xmrig
behavioral2/files/0x000700000002343d-100.dat	xmrig
behavioral2/memory/3884-98-0x00007FF67E610000-0x00007FF67E964000-memory.dmp	xmrig
behavioral2/memory/1172-97-0x00007FF766BC0000-0x00007FF766F14000-memory.dmp	xmrig
behavioral2/memory/1008-84-0x00007FF657700000-0x00007FF657A54000-memory.dmp	xmrig
behavioral2/memory/2824-80-0x00007FF6C5C20000-0x00007FF6C5F74000-memory.dmp	xmrig
behavioral2/files/0x000800000002342e-75.dat	xmrig
behavioral2/memory/228-24-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp	xmrig
behavioral2/memory/3884-20-0x00007FF67E610000-0x00007FF67E964000-memory.dmp	xmrig
behavioral2/memory/4552-17-0x00007FF7CEDB0000-0x00007FF7CF104000-memory.dmp	xmrig
behavioral2/files/0x0007000000023440-112.dat	xmrig
behavioral2/memory/4212-114-0x00007FF798360000-0x00007FF7986B4000-memory.dmp	xmrig
behavioral2/files/0x000a000000021f67-118.dat	xmrig
behavioral2/files/0x000a000000023371-123.dat	xmrig
behavioral2/memory/4732-122-0x00007FF7D7120000-0x00007FF7D7474000-memory.dmp	xmrig
behavioral2/files/0x001000000002337c-128.dat	xmrig
behavioral2/memory/364-130-0x00007FF7366D0000-0x00007FF736A24000-memory.dmp	xmrig
behavioral2/memory/3188-131-0x00007FF700730000-0x00007FF700A84000-memory.dmp	xmrig
behavioral2/memory/1208-132-0x00007FF72A070000-0x00007FF72A3C4000-memory.dmp	xmrig
behavioral2/memory/2596-133-0x00007FF632CE0000-0x00007FF633034000-memory.dmp	xmrig
behavioral2/memory/2364-134-0x00007FF7466F0000-0x00007FF746A44000-memory.dmp	xmrig
behavioral2/memory/1432-135-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp	xmrig
behavioral2/memory/2656-136-0x00007FF622AD0000-0x00007FF622E24000-memory.dmp	xmrig
behavioral2/memory/1172-137-0x00007FF766BC0000-0x00007FF766F14000-memory.dmp	xmrig
behavioral2/memory/4792-138-0x00007FF67F110000-0x00007FF67F464000-memory.dmp	xmrig
behavioral2/memory/1008-139-0x00007FF657700000-0x00007FF657A54000-memory.dmp	xmrig
behavioral2/memory/4552-140-0x00007FF7CEDB0000-0x00007FF7CF104000-memory.dmp	xmrig
behavioral2/memory/3884-141-0x00007FF67E610000-0x00007FF67E964000-memory.dmp	xmrig
behavioral2/memory/228-142-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp	xmrig
behavioral2/memory/4612-143-0x00007FF6A7450000-0x00007FF6A77A4000-memory.dmp	xmrig
behavioral2/memory/4212-144-0x00007FF798360000-0x00007FF7986B4000-memory.dmp	xmrig
behavioral2/memory/3188-145-0x00007FF700730000-0x00007FF700A84000-memory.dmp	xmrig
behavioral2/memory/3644-146-0x00007FF7D71B0000-0x00007FF7D7504000-memory.dmp	xmrig
behavioral2/memory/2596-147-0x00007FF632CE0000-0x00007FF633034000-memory.dmp	xmrig
behavioral2/memory/1432-148-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1008	LxhUttG.exe
4552	VlnjqRI.exe
3884	oefaNQi.exe
228	yrnHkGP.exe
4612	poJpYjU.exe
4212	QhoVUrj.exe
3188	iVnhIwW.exe
3644	VASTubw.exe
2596	fAnjykQ.exe
1432	JNkckEy.exe
2824	WtpCaWu.exe
4848	ZXxiIKX.exe
2932	nqeOnPy.exe
2656	wNKPNCy.exe
1172	zQAzdct.exe
1660	OvfaHnb.exe
4792	EoWHdWT.exe
4732	qxBOnXE.exe
364	OWHeiVz.exe
2364	StOsPsf.exe
1208	wTwiaPI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4336-0-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp	upx
behavioral2/files/0x000800000002342a-5.dat	upx
behavioral2/memory/1008-6-0x00007FF657700000-0x00007FF657A54000-memory.dmp	upx
behavioral2/files/0x000800000002342d-11.dat	upx
behavioral2/files/0x0007000000023432-10.dat	upx
behavioral2/files/0x0007000000023433-21.dat	upx
behavioral2/files/0x0007000000023434-28.dat	upx
behavioral2/files/0x0007000000023435-39.dat	upx
behavioral2/memory/4612-37-0x00007FF6A7450000-0x00007FF6A77A4000-memory.dmp	upx
behavioral2/files/0x0007000000023437-48.dat	upx
behavioral2/files/0x0007000000023438-52.dat	upx
behavioral2/files/0x0007000000023439-61.dat	upx
behavioral2/memory/1432-60-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp	upx
behavioral2/memory/2596-59-0x00007FF632CE0000-0x00007FF633034000-memory.dmp	upx
behavioral2/memory/3644-55-0x00007FF7D71B0000-0x00007FF7D7504000-memory.dmp	upx
behavioral2/files/0x0007000000023436-44.dat	upx
behavioral2/memory/3188-43-0x00007FF700730000-0x00007FF700A84000-memory.dmp	upx
behavioral2/memory/4212-41-0x00007FF798360000-0x00007FF7986B4000-memory.dmp	upx
behavioral2/files/0x000700000002343a-65.dat	upx
behavioral2/memory/4336-70-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp	upx
behavioral2/files/0x000700000002343b-74.dat	upx
behavioral2/files/0x000700000002343c-82.dat	upx
behavioral2/memory/2932-83-0x00007FF7D4080000-0x00007FF7D43D4000-memory.dmp	upx
behavioral2/files/0x000700000002343e-92.dat	upx
behavioral2/memory/4848-87-0x00007FF7B08D0000-0x00007FF7B0C24000-memory.dmp	upx
behavioral2/memory/2656-91-0x00007FF622AD0000-0x00007FF622E24000-memory.dmp	upx
behavioral2/memory/228-105-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp	upx
behavioral2/files/0x000700000002343f-107.dat	upx
behavioral2/memory/4792-106-0x00007FF67F110000-0x00007FF67F464000-memory.dmp	upx
behavioral2/memory/1660-104-0x00007FF7A9E00000-0x00007FF7AA154000-memory.dmp	upx
behavioral2/files/0x000700000002343d-100.dat	upx
behavioral2/memory/3884-98-0x00007FF67E610000-0x00007FF67E964000-memory.dmp	upx
behavioral2/memory/1172-97-0x00007FF766BC0000-0x00007FF766F14000-memory.dmp	upx
behavioral2/memory/1008-84-0x00007FF657700000-0x00007FF657A54000-memory.dmp	upx
behavioral2/memory/2824-80-0x00007FF6C5C20000-0x00007FF6C5F74000-memory.dmp	upx
behavioral2/files/0x000800000002342e-75.dat	upx
behavioral2/memory/228-24-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp	upx
behavioral2/memory/3884-20-0x00007FF67E610000-0x00007FF67E964000-memory.dmp	upx
behavioral2/memory/4552-17-0x00007FF7CEDB0000-0x00007FF7CF104000-memory.dmp	upx
behavioral2/files/0x0007000000023440-112.dat	upx
behavioral2/memory/4212-114-0x00007FF798360000-0x00007FF7986B4000-memory.dmp	upx
behavioral2/files/0x000a000000021f67-118.dat	upx
behavioral2/files/0x000a000000023371-123.dat	upx
behavioral2/memory/4732-122-0x00007FF7D7120000-0x00007FF7D7474000-memory.dmp	upx
behavioral2/files/0x001000000002337c-128.dat	upx
behavioral2/memory/364-130-0x00007FF7366D0000-0x00007FF736A24000-memory.dmp	upx
behavioral2/memory/3188-131-0x00007FF700730000-0x00007FF700A84000-memory.dmp	upx
behavioral2/memory/1208-132-0x00007FF72A070000-0x00007FF72A3C4000-memory.dmp	upx
behavioral2/memory/2596-133-0x00007FF632CE0000-0x00007FF633034000-memory.dmp	upx
behavioral2/memory/2364-134-0x00007FF7466F0000-0x00007FF746A44000-memory.dmp	upx
behavioral2/memory/1432-135-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp	upx
behavioral2/memory/2656-136-0x00007FF622AD0000-0x00007FF622E24000-memory.dmp	upx
behavioral2/memory/1172-137-0x00007FF766BC0000-0x00007FF766F14000-memory.dmp	upx
behavioral2/memory/4792-138-0x00007FF67F110000-0x00007FF67F464000-memory.dmp	upx
behavioral2/memory/1008-139-0x00007FF657700000-0x00007FF657A54000-memory.dmp	upx
behavioral2/memory/4552-140-0x00007FF7CEDB0000-0x00007FF7CF104000-memory.dmp	upx
behavioral2/memory/3884-141-0x00007FF67E610000-0x00007FF67E964000-memory.dmp	upx
behavioral2/memory/228-142-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp	upx
behavioral2/memory/4612-143-0x00007FF6A7450000-0x00007FF6A77A4000-memory.dmp	upx
behavioral2/memory/4212-144-0x00007FF798360000-0x00007FF7986B4000-memory.dmp	upx
behavioral2/memory/3188-145-0x00007FF700730000-0x00007FF700A84000-memory.dmp	upx
behavioral2/memory/3644-146-0x00007FF7D71B0000-0x00007FF7D7504000-memory.dmp	upx
behavioral2/memory/2596-147-0x00007FF632CE0000-0x00007FF633034000-memory.dmp	upx
behavioral2/memory/1432-148-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\qxBOnXE.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OWHeiVz.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QhoVUrj.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iVnhIwW.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JNkckEy.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZXxiIKX.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zQAzdct.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OvfaHnb.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EoWHdWT.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VlnjqRI.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yrnHkGP.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fAnjykQ.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WtpCaWu.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\StOsPsf.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wTwiaPI.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LxhUttG.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oefaNQi.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\poJpYjU.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VASTubw.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nqeOnPy.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wNKPNCy.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4336 wrote to memory of 1008	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	85
PID 4336 wrote to memory of 1008	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	85
PID 4336 wrote to memory of 4552	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	86
PID 4336 wrote to memory of 4552	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	86
PID 4336 wrote to memory of 3884	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	87
PID 4336 wrote to memory of 3884	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	87
PID 4336 wrote to memory of 228	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	89
PID 4336 wrote to memory of 228	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	89
PID 4336 wrote to memory of 4612	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	90
PID 4336 wrote to memory of 4612	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	90
PID 4336 wrote to memory of 4212	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	91
PID 4336 wrote to memory of 4212	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	91
PID 4336 wrote to memory of 3188	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	92
PID 4336 wrote to memory of 3188	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	92
PID 4336 wrote to memory of 3644	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	93
PID 4336 wrote to memory of 3644	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	93
PID 4336 wrote to memory of 2596	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	94
PID 4336 wrote to memory of 2596	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	94
PID 4336 wrote to memory of 1432	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	95
PID 4336 wrote to memory of 1432	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	95
PID 4336 wrote to memory of 2824	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	98
PID 4336 wrote to memory of 2824	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	98
PID 4336 wrote to memory of 4848	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	99
PID 4336 wrote to memory of 4848	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	99
PID 4336 wrote to memory of 2932	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	100
PID 4336 wrote to memory of 2932	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	100
PID 4336 wrote to memory of 2656	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	101
PID 4336 wrote to memory of 2656	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	101
PID 4336 wrote to memory of 1172	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	102
PID 4336 wrote to memory of 1172	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	102
PID 4336 wrote to memory of 1660	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	103
PID 4336 wrote to memory of 1660	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	103
PID 4336 wrote to memory of 4792	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	104
PID 4336 wrote to memory of 4792	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	104
PID 4336 wrote to memory of 4732	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	105
PID 4336 wrote to memory of 4732	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	105
PID 4336 wrote to memory of 364	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	106
PID 4336 wrote to memory of 364	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	106
PID 4336 wrote to memory of 2364	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	107
PID 4336 wrote to memory of 2364	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	107
PID 4336 wrote to memory of 1208	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	108
PID 4336 wrote to memory of 1208	4336	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	108

C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\System\LxhUttG.exe
  C:\Windows\System\LxhUttG.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\VlnjqRI.exe
  C:\Windows\System\VlnjqRI.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\oefaNQi.exe
  C:\Windows\System\oefaNQi.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System\yrnHkGP.exe
  C:\Windows\System\yrnHkGP.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\poJpYjU.exe
  C:\Windows\System\poJpYjU.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\QhoVUrj.exe
  C:\Windows\System\QhoVUrj.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System\iVnhIwW.exe
  C:\Windows\System\iVnhIwW.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\VASTubw.exe
  C:\Windows\System\VASTubw.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\fAnjykQ.exe
  C:\Windows\System\fAnjykQ.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\JNkckEy.exe
  C:\Windows\System\JNkckEy.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\WtpCaWu.exe
  C:\Windows\System\WtpCaWu.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\ZXxiIKX.exe
  C:\Windows\System\ZXxiIKX.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\nqeOnPy.exe
  C:\Windows\System\nqeOnPy.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\wNKPNCy.exe
  C:\Windows\System\wNKPNCy.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\zQAzdct.exe
  C:\Windows\System\zQAzdct.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\OvfaHnb.exe
  C:\Windows\System\OvfaHnb.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\EoWHdWT.exe
  C:\Windows\System\EoWHdWT.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\qxBOnXE.exe
  C:\Windows\System\qxBOnXE.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\OWHeiVz.exe
  C:\Windows\System\OWHeiVz.exe
  2⤵
  - Executes dropped EXE
  PID:364
- C:\Windows\System\StOsPsf.exe
  C:\Windows\System\StOsPsf.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\wTwiaPI.exe
  C:\Windows\System\wTwiaPI.exe
  2⤵
  - Executes dropped EXE
  PID:1208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EoWHdWT.exe

Filesize
5.9MB

MD5
6508efde9138bb2693a0a6df8e6811ff

SHA1
1b4ab92d6caf5b242c8ca83cd7a012a383e7361f

SHA256
c0250860bfd098544032d416b77c373725a42a5dd1a7506e4ad0a86cb8c28415

SHA512
7af0524646cf241992a2d1c81bf3f76f70a66cfca6847353a4ec0924f3577fd0a3a218fc1934279a04ca21ab0c4a601544a625749551b906d7e745b4264cf742

Download Submit
C:\Windows\System\JNkckEy.exe

Filesize
5.9MB

MD5
7cf36fd15442985d3fe7f3d9124eed94

SHA1
f871dedf2a470e7c76dfd9cf7e3810c72188ab65

SHA256
d6d58c56798afd6309d27d81ca5bde1225867e0626a8a2e5d02b76745532d365

SHA512
ee9cc460b323b2f3dd952fa8cdb05d7ae9ca56a192cf2c1b8191efca3daf8042046ba9259eb9de65d45efa9eea709af51d1891c4af4418737b31df91ec7040fe

Download Submit
C:\Windows\System\LxhUttG.exe

Filesize
5.9MB

MD5
16a85ff0d9706bd0ee65c57ea3d90790

SHA1
9ee6280627fa7d63c1503d7141b677eee319d577

SHA256
831a2c99efa4aeeb71d5299fbb4b2c38c492f70c4aee2f44c0ae335b7f84eb5e

SHA512
3f6e90792e35bfb631ac0b2916be2ace978b8c2d9ce9722f9691123199e87a77136d0d823dc02c03dba70184078f17de3a1d7562dae6ea781fe8a20a1683dd09

Download Submit
C:\Windows\System\OWHeiVz.exe

Filesize
5.9MB

MD5
1a1c70bed66ee6a1255c4bf07b5ae2a6

SHA1
726b7b72845ba373822056010d6fdc9e7863c6b8

SHA256
6862a1430bff24a10f22c08e1f117e4149f04ba8f9cf74aa17eba4c2237d5e2a

SHA512
39a9a6fdc6f47d27a284111855d8df3f7fb4df3cfd1456aa5a89198b63552f7d70288fa64ed9923ea19f057876f752e691bd13d9dfa0a9ff67658707e51ff445

Download Submit
C:\Windows\System\OvfaHnb.exe

Filesize
5.9MB

MD5
81618df808ca932766bd5f344bb62f39

SHA1
1d7b25e04a01446eab4d77d2f213009ff3827ffc

SHA256
ec938b767788a0a19fd694654d9d62daf19b44c5358cec44a4539b1740302b7e

SHA512
e68b6546281af63d3c5386361ec84f7d84c67894fa36526363db1039803a6589a2a023d277c6a0bcff75039492b3549f8116310e4f65ffbd102870bbef2520ca

Download Submit
C:\Windows\System\QhoVUrj.exe

Filesize
5.9MB

MD5
129bea8fb3ff6ab89963ef4cee5eaa7f

SHA1
59919f1a972bb2f13adb5dbd7233b31b6c4c8d45

SHA256
ac166069a65cab2e532389191942b586585b474387af6a288e0f67fef50e61e2

SHA512
b4d79e0eb16edb3a9693a199937126344a8ddf0337305fa4e5a0816762be6d0da4d876bbae5fcf0b31dc8e123c26bf6dca1a59a669b1758818e085e5114f1ebd

Download Submit
C:\Windows\System\StOsPsf.exe

Filesize
5.9MB

MD5
036a92d96c1836ba84490e43f2011d4d

SHA1
5b1f80bc506615422decaf5e5211aa7386e5c32c

SHA256
8dea39e99eb28ac4c13029ad4541bcffae2e8a8de342a3f438d942317dad2df1

SHA512
f5b31a066f70b8d957c31b449236402c0267c4d9b4b3f5d0075375ae14cc4b362cf4bf627abd546ebd86d0b8dc7d331fc0414f46d462bfe70c1872bf8c58e888

Download Submit
C:\Windows\System\VASTubw.exe

Filesize
5.9MB

MD5
6d4573bc294fe073ef868abdd64e81bf

SHA1
dedf5cc1cea2b35050327b59c1843fa149e4783a

SHA256
bce9dea9b744d1132c5505e8891e00af779fb483a3861c32838e0c19513b39f3

SHA512
1815f0b74d4f7548044262ab2af50bfe3fd052b73f21cba379a1965ae6eab6328afdc68ec90bca6e9a244d9dd5e3421ffbd79c4c33d155a8884048429073fa93

Download Submit
C:\Windows\System\VlnjqRI.exe

Filesize
5.9MB

MD5
0d96c57ecf30830330f774739120a337

SHA1
ef177a28ce0ce8ade992550561b95607641336bc

SHA256
0b8904884aeee4eafbcfa99ffd06c50001c93fb89e4657ab4f09a40d5977b362

SHA512
fcaa47e3f15ef55217f89ca4759c1c4fd9c59893e34563fb365df4f6c5258079c9668d3024ff32f45bec49a835a356da40b4d70de614f8d54c205ced74d124e9

Download Submit
C:\Windows\System\WtpCaWu.exe

Filesize
5.9MB

MD5
b48aca958b0f06783258bf07bc346a70

SHA1
2d013fb95b9abb4be128baf676b76ee11e41fa62

SHA256
5698c2ae3b6ab6e80d206662ba943c4e955ad0986fc9edde0f71344f7062de29

SHA512
ec3cb252d1e41935985071f20af3056159b28b87bcd465b27be5f3d81d062b5fdaaa9924c4c28a62740f9e4f952a1a45f3087064dfc83f891f5904d8e101bb06

Download Submit
C:\Windows\System\ZXxiIKX.exe

Filesize
5.9MB

MD5
14bfd67506cc8ae625e0123635622d14

SHA1
238f4f9a098f862a069437b9f95b8cac1dc8adbd

SHA256
898f5ce0693c056215e340fea0e0ad417c7772db87f5ea8a6cf5788d4b6fbad7

SHA512
82ede701166ba9a31d3c970940886d47dfed201862a0541e2c6835f1fb8c31d159fd01f241489732200b042c8e53f99e38397610768768bb17fd4c79111b3517

Download Submit
C:\Windows\System\fAnjykQ.exe

Filesize
5.9MB

MD5
2d45900d20a72011898ff51b9cf86b05

SHA1
4103734f742a794183ed11bda2add3097d88ee12

SHA256
0b1afbcb3f2486da350476187cbaa74a3d988e55f2dc69fe61f7458684d8928d

SHA512
ed2d5c0332075a023e43ca3a6c709c945563201c80bf47e0506e68d77704e172ff9d4014bf2c1d579ccd45d5ea9bc926741dc3e2409cd8330a58f396ae9965be

Download Submit
C:\Windows\System\iVnhIwW.exe

Filesize
5.9MB

MD5
6d4d8245e36c451039c2d9afea11b162

SHA1
03d1b0890f48ce6a719c2d36b018169ea9e2d176

SHA256
a017be663220fa9dde124e6bade8f438abd4ef92ec4ffdfe72420fec1bd1a680

SHA512
72991ab00a0828b2543a0476d33ecca0930fb258ff048833a79e4b1b1fc6d3f58da9e1852b24f8cce75b6fb301020ec4e95af9429bbbe942cfdec6e7487b2431

Download Submit
C:\Windows\System\nqeOnPy.exe

Filesize
5.9MB

MD5
d8e3d3f209f2eca1083c5cdba5218827

SHA1
ba236b554be802ebf38af63915511b4b892eed21

SHA256
c5e117712117fb898d84aa47891132efe6a3a2791e2df34842d083184faa5e18

SHA512
55edd656337272684ce0518b2f7a4ecdf3bbff46a375bd152a2e7eed71df32dd14debdd7ab476e2722e0a368b7503caf75b8dfa76370637f61cce845bdaabb8a

Download Submit
C:\Windows\System\oefaNQi.exe

Filesize
5.9MB

MD5
d1942ee8668d940112d49f8ab8d18297

SHA1
60eefcadc3fc90a5b86d74bf90b7c64eae3fadd2

SHA256
09f28022ec1922ff725292e96e30f7cf47170c75058384643d9a0d6ac3ac048a

SHA512
66ef31ee541cb04794536aaef76555a35c34ccf3b0d7b7f83fe87cbbfae879f3cd95f318db6737fcd847c5e753a44db16345e7f2f3e7deb7982405c4c9e40443

Download Submit
C:\Windows\System\poJpYjU.exe

Filesize
5.9MB

MD5
354839f93bd9e786310e94ef0cf794df

SHA1
c6d042b6a6ab34f23da44e16275a31431105c510

SHA256
7551e3def202845dba562c7a9fc7465d207555e13154a99a47f3f9acc92fae53

SHA512
ea6b1c3a2d2573173fe6d24257b6fa46b0022fc079bbb986b99753c3a561143b8577251cdc945d58cf5082cf66e029ac4c201fe9eaa68e1a7dba8be6770b60d1

Download Submit
C:\Windows\System\qxBOnXE.exe

Filesize
5.9MB

MD5
b6fbe26a34d603dc8875f4c5ac2fcdfb

SHA1
5c7240a071db785f350a692481503293940c638b

SHA256
ad4697bd2733fb5522b656a4e2ebfeedb213d77effe5e0d799e666838ce8327d

SHA512
eee320e7af06916fb3a7a6e94026567faf7f300e124319e9030f070693358e9feaea7fcd627d58359e78ccec4b39f0ba48db59ca6c1dd7249ddf369a43055587

Download Submit
C:\Windows\System\wNKPNCy.exe

Filesize
5.9MB

MD5
ac8c6464442ad0119178a03a541b3e5c

SHA1
ac329b506ff5f31643fb62c17d8979fabb1b5b7a

SHA256
5d98f3f3d18c19efc41edc0f708c4d223cbffdaeb015b55bb4baf42ce23dc075

SHA512
476402e4f76cd394b3ded12f7b6ee5bf43122fcb48bcf929c33c032117c0cd21b89800d724b5fb929d3c9b08d6f06d7daf53794a176ee46ca17f5de49bd6f43b

Download Submit
C:\Windows\System\wTwiaPI.exe

Filesize
5.9MB

MD5
4428441e9b4fa489faac064005797ba5

SHA1
079bacd8d25925f19d161e4da735c6092808cd4a

SHA256
ac09670d469e4055f3b83373fe1eefc8701ed83e8d186c561e27ec527870154e

SHA512
82a4c1ab3da1a8ac6910c3d08d91de0df8bfee9ee6d7ce5e36f3ce305fbfdb3ce16806b531078af19a121e0abcc547f01a8fc7d214151202c2493711017366b6

Download Submit
C:\Windows\System\yrnHkGP.exe

Filesize
5.9MB

MD5
52e2beebbeef4baf00fb7baafff8382b

SHA1
a03f317690c3f99b6c435a63376cc2c638e2dd42

SHA256
0ec9531c3f196291fecfcf638ee2b4cdf2c1082c39fc84c770ad165af6354369

SHA512
a028e3dc3d921ab75672a61006d57a1975eba44c8960057d4a4ff60a400d791395113d903efd7a4f050dbef0b78ddd53b0af02af392049c3849622bff96aee7b

Download Submit
C:\Windows\System\zQAzdct.exe

Filesize
5.9MB

MD5
68489055f481cbfbe0c3afa8acd1ed0a

SHA1
9490a22fd89c9da952fa7215e9ab9758c30de1ce

SHA256
f442646d5527858b35f3df840352bc51d4d983922a15a0ce169543064ac6a233

SHA512
8e743fcb305adeb814ffc4bb7718055b645e2fae7f5106e020b492a69f9e09fe0c28be582d9543f5f7f1e906cbb5ad3cb2d4762b9920f6ed4728f46af7f33329

Download Submit
memory/228-105-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/228-24-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/228-142-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp

Filesize
3.3MB

Download
memory/364-130-0x00007FF7366D0000-0x00007FF736A24000-memory.dmp

Filesize
3.3MB

Download
memory/364-157-0x00007FF7366D0000-0x00007FF736A24000-memory.dmp

Filesize
3.3MB

Download
memory/1008-139-0x00007FF657700000-0x00007FF657A54000-memory.dmp

Filesize
3.3MB

Download
memory/1008-84-0x00007FF657700000-0x00007FF657A54000-memory.dmp

Filesize
3.3MB

Download
memory/1008-6-0x00007FF657700000-0x00007FF657A54000-memory.dmp

Filesize
3.3MB

Download
memory/1172-153-0x00007FF766BC0000-0x00007FF766F14000-memory.dmp

Filesize
3.3MB

Download
memory/1172-97-0x00007FF766BC0000-0x00007FF766F14000-memory.dmp

Filesize
3.3MB

Download
memory/1172-137-0x00007FF766BC0000-0x00007FF766F14000-memory.dmp

Filesize
3.3MB

Download
memory/1208-132-0x00007FF72A070000-0x00007FF72A3C4000-memory.dmp

Filesize
3.3MB

Download
memory/1208-158-0x00007FF72A070000-0x00007FF72A3C4000-memory.dmp

Filesize
3.3MB

Download
memory/1432-135-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp

Filesize
3.3MB

Download
memory/1432-60-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp

Filesize
3.3MB

Download
memory/1432-148-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp

Filesize
3.3MB

Download
memory/1660-104-0x00007FF7A9E00000-0x00007FF7AA154000-memory.dmp

Filesize
3.3MB

Download
memory/1660-154-0x00007FF7A9E00000-0x00007FF7AA154000-memory.dmp

Filesize
3.3MB

Download
memory/2364-134-0x00007FF7466F0000-0x00007FF746A44000-memory.dmp

Filesize
3.3MB

Download
memory/2364-159-0x00007FF7466F0000-0x00007FF746A44000-memory.dmp

Filesize
3.3MB

Download
memory/2596-147-0x00007FF632CE0000-0x00007FF633034000-memory.dmp

Filesize
3.3MB

Download
memory/2596-133-0x00007FF632CE0000-0x00007FF633034000-memory.dmp

Filesize
3.3MB

Download
memory/2596-59-0x00007FF632CE0000-0x00007FF633034000-memory.dmp

Filesize
3.3MB

Download
memory/2656-136-0x00007FF622AD0000-0x00007FF622E24000-memory.dmp

Filesize
3.3MB

Download
memory/2656-152-0x00007FF622AD0000-0x00007FF622E24000-memory.dmp

Filesize
3.3MB

Download
memory/2656-91-0x00007FF622AD0000-0x00007FF622E24000-memory.dmp

Filesize
3.3MB

Download
memory/2824-80-0x00007FF6C5C20000-0x00007FF6C5F74000-memory.dmp

Filesize
3.3MB

Download
memory/2824-149-0x00007FF6C5C20000-0x00007FF6C5F74000-memory.dmp

Filesize
3.3MB

Download
memory/2932-151-0x00007FF7D4080000-0x00007FF7D43D4000-memory.dmp

Filesize
3.3MB

Download
memory/2932-83-0x00007FF7D4080000-0x00007FF7D43D4000-memory.dmp

Filesize
3.3MB

Download
memory/3188-131-0x00007FF700730000-0x00007FF700A84000-memory.dmp

Filesize
3.3MB

Download
memory/3188-43-0x00007FF700730000-0x00007FF700A84000-memory.dmp

Filesize
3.3MB

Download
memory/3188-145-0x00007FF700730000-0x00007FF700A84000-memory.dmp

Filesize
3.3MB

Download
memory/3644-146-0x00007FF7D71B0000-0x00007FF7D7504000-memory.dmp

Filesize
3.3MB

Download
memory/3644-55-0x00007FF7D71B0000-0x00007FF7D7504000-memory.dmp

Filesize
3.3MB

Download
memory/3884-141-0x00007FF67E610000-0x00007FF67E964000-memory.dmp

Filesize
3.3MB

Download
memory/3884-20-0x00007FF67E610000-0x00007FF67E964000-memory.dmp

Filesize
3.3MB

Download
memory/3884-98-0x00007FF67E610000-0x00007FF67E964000-memory.dmp

Filesize
3.3MB

Download
memory/4212-114-0x00007FF798360000-0x00007FF7986B4000-memory.dmp

Filesize
3.3MB

Download
memory/4212-144-0x00007FF798360000-0x00007FF7986B4000-memory.dmp

Filesize
3.3MB

Download
memory/4212-41-0x00007FF798360000-0x00007FF7986B4000-memory.dmp

Filesize
3.3MB

Download
memory/4336-0-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/4336-1-0x000001C02E880000-0x000001C02E890000-memory.dmp

Filesize
64KB

Download
memory/4336-70-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/4552-17-0x00007FF7CEDB0000-0x00007FF7CF104000-memory.dmp

Filesize
3.3MB

Download
memory/4552-140-0x00007FF7CEDB0000-0x00007FF7CF104000-memory.dmp

Filesize
3.3MB

Download
memory/4612-143-0x00007FF6A7450000-0x00007FF6A77A4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-37-0x00007FF6A7450000-0x00007FF6A77A4000-memory.dmp

Filesize
3.3MB

Download
memory/4732-122-0x00007FF7D7120000-0x00007FF7D7474000-memory.dmp

Filesize
3.3MB

Download
memory/4732-156-0x00007FF7D7120000-0x00007FF7D7474000-memory.dmp

Filesize
3.3MB

Download
memory/4792-138-0x00007FF67F110000-0x00007FF67F464000-memory.dmp

Filesize
3.3MB

Download
memory/4792-155-0x00007FF67F110000-0x00007FF67F464000-memory.dmp

Filesize
3.3MB

Download
memory/4792-106-0x00007FF67F110000-0x00007FF67F464000-memory.dmp

Filesize
3.3MB

Download
memory/4848-87-0x00007FF7B08D0000-0x00007FF7B0C24000-memory.dmp

Filesize
3.3MB

Download
memory/4848-150-0x00007FF7B08D0000-0x00007FF7B0C24000-memory.dmp

Filesize
3.3MB

Download