cobaltstrike | 5cfbd54efd105c01272016502b47acdac9410eb23169f3602b465cf30d57f289

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

ca5e5eb0c47f9f454a8172af0b3e8310
SHA1

b82218fd9b7cc35c64a68e238c0db61ce310509e
SHA256

5cfbd54efd105c01272016502b47acdac9410eb23169f3602b465cf30d57f289
SHA512

2f5b94f8fff73d3e23dc338101c1ec78c85895075f455e7f6293e9fa64aa29f78aff5eff13c5a2c6304aa1e7fdded1509bba51ab14e7c58e4c579e46e7d99239
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUs:Q+856utgpPF8u/7s

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233fc-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023404-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023405-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023406-20.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340b-51.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340a-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023409-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023408-45.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340c-56.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340e-65.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340f-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023410-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023412-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023411-94.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340d-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023407-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023413-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023414-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023415-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023416-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-124.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233fc-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023404-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023405-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023406-20.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340b-51.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340a-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023409-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023408-45.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340c-56.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340e-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340f-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023410-76.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023412-95.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023411-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340d-61.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023407-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023413-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023414-106.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023415-113.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023416-120.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023417-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/924-0-0x00007FF64A6C0000-0x00007FF64AA14000-memory.dmp	UPX
behavioral2/files/0x00090000000233fc-4.dat	UPX
behavioral2/files/0x0007000000023404-11.dat	UPX
behavioral2/files/0x0007000000023405-10.dat	UPX
behavioral2/files/0x0007000000023406-20.dat	UPX
behavioral2/memory/4376-30-0x00007FF648470000-0x00007FF6487C4000-memory.dmp	UPX
behavioral2/memory/3104-39-0x00007FF65B560000-0x00007FF65B8B4000-memory.dmp	UPX
behavioral2/files/0x000700000002340b-51.dat	UPX
behavioral2/files/0x000700000002340a-49.dat	UPX
behavioral2/files/0x0007000000023409-47.dat	UPX
behavioral2/files/0x0007000000023408-45.dat	UPX
behavioral2/files/0x000700000002340c-56.dat	UPX
behavioral2/files/0x000700000002340e-65.dat	UPX
behavioral2/files/0x000700000002340f-70.dat	UPX
behavioral2/files/0x0007000000023410-76.dat	UPX
behavioral2/memory/2044-83-0x00007FF7A2CC0000-0x00007FF7A3014000-memory.dmp	UPX
behavioral2/memory/768-86-0x00007FF771400000-0x00007FF771754000-memory.dmp	UPX
behavioral2/memory/624-89-0x00007FF76A350000-0x00007FF76A6A4000-memory.dmp	UPX
behavioral2/memory/2760-92-0x00007FF7D39A0000-0x00007FF7D3CF4000-memory.dmp	UPX
behavioral2/files/0x0007000000023412-95.dat	UPX
behavioral2/files/0x0007000000023411-94.dat	UPX
behavioral2/memory/4428-93-0x00007FF612AA0000-0x00007FF612DF4000-memory.dmp	UPX
behavioral2/memory/3876-91-0x00007FF69C340000-0x00007FF69C694000-memory.dmp	UPX
behavioral2/memory/1332-90-0x00007FF6DAC20000-0x00007FF6DAF74000-memory.dmp	UPX
behavioral2/memory/3108-88-0x00007FF6AB5E0000-0x00007FF6AB934000-memory.dmp	UPX
behavioral2/memory/3504-87-0x00007FF72BF50000-0x00007FF72C2A4000-memory.dmp	UPX
behavioral2/memory/1300-85-0x00007FF7D6190000-0x00007FF7D64E4000-memory.dmp	UPX
behavioral2/memory/3400-84-0x00007FF73F4A0000-0x00007FF73F7F4000-memory.dmp	UPX
behavioral2/files/0x000700000002340d-61.dat	UPX
behavioral2/files/0x0007000000023407-36.dat	UPX
behavioral2/memory/3112-23-0x00007FF648970000-0x00007FF648CC4000-memory.dmp	UPX
behavioral2/memory/3520-17-0x00007FF6A1310000-0x00007FF6A1664000-memory.dmp	UPX
behavioral2/memory/4724-8-0x00007FF7C2140000-0x00007FF7C2494000-memory.dmp	UPX
behavioral2/files/0x0007000000023413-100.dat	UPX
behavioral2/memory/4504-104-0x00007FF72EEA0000-0x00007FF72F1F4000-memory.dmp	UPX
behavioral2/files/0x0007000000023414-106.dat	UPX
behavioral2/files/0x0007000000023415-113.dat	UPX
behavioral2/memory/2548-110-0x00007FF72B510000-0x00007FF72B864000-memory.dmp	UPX
behavioral2/memory/1740-117-0x00007FF6EF170000-0x00007FF6EF4C4000-memory.dmp	UPX
behavioral2/memory/924-116-0x00007FF64A6C0000-0x00007FF64AA14000-memory.dmp	UPX
behavioral2/files/0x0007000000023416-120.dat	UPX
behavioral2/files/0x0007000000023417-124.dat	UPX
behavioral2/memory/4724-128-0x00007FF7C2140000-0x00007FF7C2494000-memory.dmp	UPX
behavioral2/memory/3144-129-0x00007FF604360000-0x00007FF6046B4000-memory.dmp	UPX
behavioral2/memory/4728-122-0x00007FF75A790000-0x00007FF75AAE4000-memory.dmp	UPX
behavioral2/memory/3112-130-0x00007FF648970000-0x00007FF648CC4000-memory.dmp	UPX
behavioral2/memory/4376-131-0x00007FF648470000-0x00007FF6487C4000-memory.dmp	UPX
behavioral2/memory/3104-132-0x00007FF65B560000-0x00007FF65B8B4000-memory.dmp	UPX
behavioral2/memory/2044-133-0x00007FF7A2CC0000-0x00007FF7A3014000-memory.dmp	UPX
behavioral2/memory/1332-134-0x00007FF6DAC20000-0x00007FF6DAF74000-memory.dmp	UPX
behavioral2/memory/3876-135-0x00007FF69C340000-0x00007FF69C694000-memory.dmp	UPX
behavioral2/memory/4728-136-0x00007FF75A790000-0x00007FF75AAE4000-memory.dmp	UPX
behavioral2/memory/4724-137-0x00007FF7C2140000-0x00007FF7C2494000-memory.dmp	UPX
behavioral2/memory/3520-138-0x00007FF6A1310000-0x00007FF6A1664000-memory.dmp	UPX
behavioral2/memory/3112-139-0x00007FF648970000-0x00007FF648CC4000-memory.dmp	UPX
behavioral2/memory/4376-140-0x00007FF648470000-0x00007FF6487C4000-memory.dmp	UPX
behavioral2/memory/3104-141-0x00007FF65B560000-0x00007FF65B8B4000-memory.dmp	UPX
behavioral2/memory/4428-143-0x00007FF612AA0000-0x00007FF612DF4000-memory.dmp	UPX
behavioral2/memory/3400-142-0x00007FF73F4A0000-0x00007FF73F7F4000-memory.dmp	UPX
behavioral2/memory/2760-145-0x00007FF7D39A0000-0x00007FF7D3CF4000-memory.dmp	UPX
behavioral2/memory/2044-144-0x00007FF7A2CC0000-0x00007FF7A3014000-memory.dmp	UPX
behavioral2/memory/3504-148-0x00007FF72BF50000-0x00007FF72C2A4000-memory.dmp	UPX
behavioral2/memory/1300-147-0x00007FF7D6190000-0x00007FF7D64E4000-memory.dmp	UPX
behavioral2/memory/768-146-0x00007FF771400000-0x00007FF771754000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/924-0-0x00007FF64A6C0000-0x00007FF64AA14000-memory.dmp	xmrig
behavioral2/files/0x00090000000233fc-4.dat	xmrig
behavioral2/files/0x0007000000023404-11.dat	xmrig
behavioral2/files/0x0007000000023405-10.dat	xmrig
behavioral2/files/0x0007000000023406-20.dat	xmrig
behavioral2/memory/4376-30-0x00007FF648470000-0x00007FF6487C4000-memory.dmp	xmrig
behavioral2/memory/3104-39-0x00007FF65B560000-0x00007FF65B8B4000-memory.dmp	xmrig
behavioral2/files/0x000700000002340b-51.dat	xmrig
behavioral2/files/0x000700000002340a-49.dat	xmrig
behavioral2/files/0x0007000000023409-47.dat	xmrig
behavioral2/files/0x0007000000023408-45.dat	xmrig
behavioral2/files/0x000700000002340c-56.dat	xmrig
behavioral2/files/0x000700000002340e-65.dat	xmrig
behavioral2/files/0x000700000002340f-70.dat	xmrig
behavioral2/files/0x0007000000023410-76.dat	xmrig
behavioral2/memory/2044-83-0x00007FF7A2CC0000-0x00007FF7A3014000-memory.dmp	xmrig
behavioral2/memory/768-86-0x00007FF771400000-0x00007FF771754000-memory.dmp	xmrig
behavioral2/memory/624-89-0x00007FF76A350000-0x00007FF76A6A4000-memory.dmp	xmrig
behavioral2/memory/2760-92-0x00007FF7D39A0000-0x00007FF7D3CF4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023412-95.dat	xmrig
behavioral2/files/0x0007000000023411-94.dat	xmrig
behavioral2/memory/4428-93-0x00007FF612AA0000-0x00007FF612DF4000-memory.dmp	xmrig
behavioral2/memory/3876-91-0x00007FF69C340000-0x00007FF69C694000-memory.dmp	xmrig
behavioral2/memory/1332-90-0x00007FF6DAC20000-0x00007FF6DAF74000-memory.dmp	xmrig
behavioral2/memory/3108-88-0x00007FF6AB5E0000-0x00007FF6AB934000-memory.dmp	xmrig
behavioral2/memory/3504-87-0x00007FF72BF50000-0x00007FF72C2A4000-memory.dmp	xmrig
behavioral2/memory/1300-85-0x00007FF7D6190000-0x00007FF7D64E4000-memory.dmp	xmrig
behavioral2/memory/3400-84-0x00007FF73F4A0000-0x00007FF73F7F4000-memory.dmp	xmrig
behavioral2/files/0x000700000002340d-61.dat	xmrig
behavioral2/files/0x0007000000023407-36.dat	xmrig
behavioral2/memory/3112-23-0x00007FF648970000-0x00007FF648CC4000-memory.dmp	xmrig
behavioral2/memory/3520-17-0x00007FF6A1310000-0x00007FF6A1664000-memory.dmp	xmrig
behavioral2/memory/4724-8-0x00007FF7C2140000-0x00007FF7C2494000-memory.dmp	xmrig
behavioral2/files/0x0007000000023413-100.dat	xmrig
behavioral2/memory/4504-104-0x00007FF72EEA0000-0x00007FF72F1F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023414-106.dat	xmrig
behavioral2/files/0x0007000000023415-113.dat	xmrig
behavioral2/memory/2548-110-0x00007FF72B510000-0x00007FF72B864000-memory.dmp	xmrig
behavioral2/memory/1740-117-0x00007FF6EF170000-0x00007FF6EF4C4000-memory.dmp	xmrig
behavioral2/memory/924-116-0x00007FF64A6C0000-0x00007FF64AA14000-memory.dmp	xmrig
behavioral2/files/0x0007000000023416-120.dat	xmrig
behavioral2/files/0x0007000000023417-124.dat	xmrig
behavioral2/memory/4724-128-0x00007FF7C2140000-0x00007FF7C2494000-memory.dmp	xmrig
behavioral2/memory/3144-129-0x00007FF604360000-0x00007FF6046B4000-memory.dmp	xmrig
behavioral2/memory/4728-122-0x00007FF75A790000-0x00007FF75AAE4000-memory.dmp	xmrig
behavioral2/memory/3112-130-0x00007FF648970000-0x00007FF648CC4000-memory.dmp	xmrig
behavioral2/memory/4376-131-0x00007FF648470000-0x00007FF6487C4000-memory.dmp	xmrig
behavioral2/memory/3104-132-0x00007FF65B560000-0x00007FF65B8B4000-memory.dmp	xmrig
behavioral2/memory/2044-133-0x00007FF7A2CC0000-0x00007FF7A3014000-memory.dmp	xmrig
behavioral2/memory/1332-134-0x00007FF6DAC20000-0x00007FF6DAF74000-memory.dmp	xmrig
behavioral2/memory/3876-135-0x00007FF69C340000-0x00007FF69C694000-memory.dmp	xmrig
behavioral2/memory/4728-136-0x00007FF75A790000-0x00007FF75AAE4000-memory.dmp	xmrig
behavioral2/memory/4724-137-0x00007FF7C2140000-0x00007FF7C2494000-memory.dmp	xmrig
behavioral2/memory/3520-138-0x00007FF6A1310000-0x00007FF6A1664000-memory.dmp	xmrig
behavioral2/memory/3112-139-0x00007FF648970000-0x00007FF648CC4000-memory.dmp	xmrig
behavioral2/memory/4376-140-0x00007FF648470000-0x00007FF6487C4000-memory.dmp	xmrig
behavioral2/memory/3104-141-0x00007FF65B560000-0x00007FF65B8B4000-memory.dmp	xmrig
behavioral2/memory/4428-143-0x00007FF612AA0000-0x00007FF612DF4000-memory.dmp	xmrig
behavioral2/memory/3400-142-0x00007FF73F4A0000-0x00007FF73F7F4000-memory.dmp	xmrig
behavioral2/memory/2760-145-0x00007FF7D39A0000-0x00007FF7D3CF4000-memory.dmp	xmrig
behavioral2/memory/2044-144-0x00007FF7A2CC0000-0x00007FF7A3014000-memory.dmp	xmrig
behavioral2/memory/3504-148-0x00007FF72BF50000-0x00007FF72C2A4000-memory.dmp	xmrig
behavioral2/memory/1300-147-0x00007FF7D6190000-0x00007FF7D64E4000-memory.dmp	xmrig
behavioral2/memory/768-146-0x00007FF771400000-0x00007FF771754000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4724	NbudblI.exe
3520	wsHtRUV.exe
3112	YVnprWf.exe
4376	BXJwHpS.exe
3104	FyfOODq.exe
2760	SfxPLmk.exe
2044	FLnUYvm.exe
4428	CInvwtP.exe
3400	ndCeNYZ.exe
1300	atGHQUm.exe
768	BJQwgNw.exe
3504	JZKhGDV.exe
3108	pFmueGc.exe
624	wTvkNKO.exe
1332	ZjuifcE.exe
3876	lSSpNQv.exe
4504	JPvebdZ.exe
2548	TUUbGEM.exe
1740	bfccjiH.exe
4728	qZFmufH.exe
3144	rwuERGx.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/924-0-0x00007FF64A6C0000-0x00007FF64AA14000-memory.dmp	upx
behavioral2/files/0x00090000000233fc-4.dat	upx
behavioral2/files/0x0007000000023404-11.dat	upx
behavioral2/files/0x0007000000023405-10.dat	upx
behavioral2/files/0x0007000000023406-20.dat	upx
behavioral2/memory/4376-30-0x00007FF648470000-0x00007FF6487C4000-memory.dmp	upx
behavioral2/memory/3104-39-0x00007FF65B560000-0x00007FF65B8B4000-memory.dmp	upx
behavioral2/files/0x000700000002340b-51.dat	upx
behavioral2/files/0x000700000002340a-49.dat	upx
behavioral2/files/0x0007000000023409-47.dat	upx
behavioral2/files/0x0007000000023408-45.dat	upx
behavioral2/files/0x000700000002340c-56.dat	upx
behavioral2/files/0x000700000002340e-65.dat	upx
behavioral2/files/0x000700000002340f-70.dat	upx
behavioral2/files/0x0007000000023410-76.dat	upx
behavioral2/memory/2044-83-0x00007FF7A2CC0000-0x00007FF7A3014000-memory.dmp	upx
behavioral2/memory/768-86-0x00007FF771400000-0x00007FF771754000-memory.dmp	upx
behavioral2/memory/624-89-0x00007FF76A350000-0x00007FF76A6A4000-memory.dmp	upx
behavioral2/memory/2760-92-0x00007FF7D39A0000-0x00007FF7D3CF4000-memory.dmp	upx
behavioral2/files/0x0007000000023412-95.dat	upx
behavioral2/files/0x0007000000023411-94.dat	upx
behavioral2/memory/4428-93-0x00007FF612AA0000-0x00007FF612DF4000-memory.dmp	upx
behavioral2/memory/3876-91-0x00007FF69C340000-0x00007FF69C694000-memory.dmp	upx
behavioral2/memory/1332-90-0x00007FF6DAC20000-0x00007FF6DAF74000-memory.dmp	upx
behavioral2/memory/3108-88-0x00007FF6AB5E0000-0x00007FF6AB934000-memory.dmp	upx
behavioral2/memory/3504-87-0x00007FF72BF50000-0x00007FF72C2A4000-memory.dmp	upx
behavioral2/memory/1300-85-0x00007FF7D6190000-0x00007FF7D64E4000-memory.dmp	upx
behavioral2/memory/3400-84-0x00007FF73F4A0000-0x00007FF73F7F4000-memory.dmp	upx
behavioral2/files/0x000700000002340d-61.dat	upx
behavioral2/files/0x0007000000023407-36.dat	upx
behavioral2/memory/3112-23-0x00007FF648970000-0x00007FF648CC4000-memory.dmp	upx
behavioral2/memory/3520-17-0x00007FF6A1310000-0x00007FF6A1664000-memory.dmp	upx
behavioral2/memory/4724-8-0x00007FF7C2140000-0x00007FF7C2494000-memory.dmp	upx
behavioral2/files/0x0007000000023413-100.dat	upx
behavioral2/memory/4504-104-0x00007FF72EEA0000-0x00007FF72F1F4000-memory.dmp	upx
behavioral2/files/0x0007000000023414-106.dat	upx
behavioral2/files/0x0007000000023415-113.dat	upx
behavioral2/memory/2548-110-0x00007FF72B510000-0x00007FF72B864000-memory.dmp	upx
behavioral2/memory/1740-117-0x00007FF6EF170000-0x00007FF6EF4C4000-memory.dmp	upx
behavioral2/memory/924-116-0x00007FF64A6C0000-0x00007FF64AA14000-memory.dmp	upx
behavioral2/files/0x0007000000023416-120.dat	upx
behavioral2/files/0x0007000000023417-124.dat	upx
behavioral2/memory/4724-128-0x00007FF7C2140000-0x00007FF7C2494000-memory.dmp	upx
behavioral2/memory/3144-129-0x00007FF604360000-0x00007FF6046B4000-memory.dmp	upx
behavioral2/memory/4728-122-0x00007FF75A790000-0x00007FF75AAE4000-memory.dmp	upx
behavioral2/memory/3112-130-0x00007FF648970000-0x00007FF648CC4000-memory.dmp	upx
behavioral2/memory/4376-131-0x00007FF648470000-0x00007FF6487C4000-memory.dmp	upx
behavioral2/memory/3104-132-0x00007FF65B560000-0x00007FF65B8B4000-memory.dmp	upx
behavioral2/memory/2044-133-0x00007FF7A2CC0000-0x00007FF7A3014000-memory.dmp	upx
behavioral2/memory/1332-134-0x00007FF6DAC20000-0x00007FF6DAF74000-memory.dmp	upx
behavioral2/memory/3876-135-0x00007FF69C340000-0x00007FF69C694000-memory.dmp	upx
behavioral2/memory/4728-136-0x00007FF75A790000-0x00007FF75AAE4000-memory.dmp	upx
behavioral2/memory/4724-137-0x00007FF7C2140000-0x00007FF7C2494000-memory.dmp	upx
behavioral2/memory/3520-138-0x00007FF6A1310000-0x00007FF6A1664000-memory.dmp	upx
behavioral2/memory/3112-139-0x00007FF648970000-0x00007FF648CC4000-memory.dmp	upx
behavioral2/memory/4376-140-0x00007FF648470000-0x00007FF6487C4000-memory.dmp	upx
behavioral2/memory/3104-141-0x00007FF65B560000-0x00007FF65B8B4000-memory.dmp	upx
behavioral2/memory/4428-143-0x00007FF612AA0000-0x00007FF612DF4000-memory.dmp	upx
behavioral2/memory/3400-142-0x00007FF73F4A0000-0x00007FF73F7F4000-memory.dmp	upx
behavioral2/memory/2760-145-0x00007FF7D39A0000-0x00007FF7D3CF4000-memory.dmp	upx
behavioral2/memory/2044-144-0x00007FF7A2CC0000-0x00007FF7A3014000-memory.dmp	upx
behavioral2/memory/3504-148-0x00007FF72BF50000-0x00007FF72C2A4000-memory.dmp	upx
behavioral2/memory/1300-147-0x00007FF7D6190000-0x00007FF7D64E4000-memory.dmp	upx
behavioral2/memory/768-146-0x00007FF771400000-0x00007FF771754000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\wsHtRUV.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CInvwtP.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\atGHQUm.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pFmueGc.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JPvebdZ.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TUUbGEM.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NbudblI.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FyfOODq.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BJQwgNw.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lSSpNQv.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YVnprWf.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BXJwHpS.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SfxPLmk.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FLnUYvm.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ndCeNYZ.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JZKhGDV.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wTvkNKO.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qZFmufH.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZjuifcE.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bfccjiH.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rwuERGx.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 4724	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	84
PID 924 wrote to memory of 4724	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	84
PID 924 wrote to memory of 3520	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	85
PID 924 wrote to memory of 3520	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	85
PID 924 wrote to memory of 3112	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	86
PID 924 wrote to memory of 3112	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	86
PID 924 wrote to memory of 4376	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	87
PID 924 wrote to memory of 4376	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	87
PID 924 wrote to memory of 3104	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	88
PID 924 wrote to memory of 3104	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	88
PID 924 wrote to memory of 2760	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	89
PID 924 wrote to memory of 2760	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	89
PID 924 wrote to memory of 2044	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	90
PID 924 wrote to memory of 2044	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	90
PID 924 wrote to memory of 4428	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	91
PID 924 wrote to memory of 4428	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	91
PID 924 wrote to memory of 3400	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	92
PID 924 wrote to memory of 3400	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	92
PID 924 wrote to memory of 1300	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	93
PID 924 wrote to memory of 1300	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	93
PID 924 wrote to memory of 768	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	94
PID 924 wrote to memory of 768	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	94
PID 924 wrote to memory of 3504	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	95
PID 924 wrote to memory of 3504	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	95
PID 924 wrote to memory of 3108	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	96
PID 924 wrote to memory of 3108	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	96
PID 924 wrote to memory of 624	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	97
PID 924 wrote to memory of 624	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	97
PID 924 wrote to memory of 1332	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	98
PID 924 wrote to memory of 1332	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	98
PID 924 wrote to memory of 3876	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	99
PID 924 wrote to memory of 3876	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	99
PID 924 wrote to memory of 4504	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	100
PID 924 wrote to memory of 4504	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	100
PID 924 wrote to memory of 2548	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	101
PID 924 wrote to memory of 2548	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	101
PID 924 wrote to memory of 1740	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	102
PID 924 wrote to memory of 1740	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	102
PID 924 wrote to memory of 4728	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	103
PID 924 wrote to memory of 4728	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	103
PID 924 wrote to memory of 3144	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	104
PID 924 wrote to memory of 3144	924	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\System\NbudblI.exe
  C:\Windows\System\NbudblI.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\wsHtRUV.exe
  C:\Windows\System\wsHtRUV.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System\YVnprWf.exe
  C:\Windows\System\YVnprWf.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\BXJwHpS.exe
  C:\Windows\System\BXJwHpS.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\FyfOODq.exe
  C:\Windows\System\FyfOODq.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\SfxPLmk.exe
  C:\Windows\System\SfxPLmk.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\FLnUYvm.exe
  C:\Windows\System\FLnUYvm.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\CInvwtP.exe
  C:\Windows\System\CInvwtP.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\ndCeNYZ.exe
  C:\Windows\System\ndCeNYZ.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\atGHQUm.exe
  C:\Windows\System\atGHQUm.exe
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\System\BJQwgNw.exe
  C:\Windows\System\BJQwgNw.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System\JZKhGDV.exe
  C:\Windows\System\JZKhGDV.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\pFmueGc.exe
  C:\Windows\System\pFmueGc.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System\wTvkNKO.exe
  C:\Windows\System\wTvkNKO.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\ZjuifcE.exe
  C:\Windows\System\ZjuifcE.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System\lSSpNQv.exe
  C:\Windows\System\lSSpNQv.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System\JPvebdZ.exe
  C:\Windows\System\JPvebdZ.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\TUUbGEM.exe
  C:\Windows\System\TUUbGEM.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\bfccjiH.exe
  C:\Windows\System\bfccjiH.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\qZFmufH.exe
  C:\Windows\System\qZFmufH.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\rwuERGx.exe
  C:\Windows\System\rwuERGx.exe
  2⤵
  - Executes dropped EXE
  PID:3144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BJQwgNw.exe

Filesize
5.9MB

MD5
26f1d865187a9dbcb5de3836ad042b1d

SHA1
6c1ee97a7ae000d2df3b1ef78717659cd1195f5a

SHA256
aa8dac382e130cdebf5d4752afbc07a6392d1266bfa47880198fd51fb67c5a5b

SHA512
a8f670784183a1e5458447e000eb3dd9c490f361ebef7eabbcee207b3e20808ae127446537ded3f4f1b7da68340d50d16867506688c2b44e091dd19ff4e71d47

Download Submit
C:\Windows\System\BXJwHpS.exe

Filesize
5.9MB

MD5
5fe09abb34b7b147ccfe1b468a8113d9

SHA1
cf1b9bb513dfb2e927d4c1a7d5483712ba3c5fd1

SHA256
7350cebb6e395f2eafcda0df51ab0057c29ec17ffaa86da6436fbeab35a56a20

SHA512
0eb41a57863fbe1125066932cd07cae0630b8b63d4256050a7aa40d7061723146615ca6d89fa572bcb6cbf5bec172e6b31e33683f5459027901aa395ea37818a

Download Submit
C:\Windows\System\CInvwtP.exe

Filesize
5.9MB

MD5
a7a3d46da961acc7f87cb4f9cba78309

SHA1
b492f5121552701642c302a43c9323e9335ecd3a

SHA256
b7b6331bbe98809a97b52c43a01f4913df541c36cf751947b4c9a8be287bfa85

SHA512
1b262a20804046a6fae47e9a4791bcc9183b2f2354b9ce582d024985e72493580a3d6134f093585b6fb46a4ad08f63a15fa92ba2aaa9d877e02c79fae140ea7a

Download Submit
C:\Windows\System\FLnUYvm.exe

Filesize
5.9MB

MD5
4b5df2b2997ce109e66e6feb873db1ec

SHA1
7436cf8f549a5839ce2074340d29c079cb20dfc1

SHA256
dff5d280d7a4059f48960d9c5da219431a35b4530fa462fe1fec69413fbf90fd

SHA512
3ead9419f42c7742140d9ad120ca982a832d8b217b168c3a6a7738ed26e11f8cba659d0972b0cb39cfef436943655ac1e6cf1f74c684930ffaf4efe959eac6ce

Download Submit
C:\Windows\System\FyfOODq.exe

Filesize
5.9MB

MD5
40b4146ca9f944c6e5ecbc1bb171f2d6

SHA1
9b79fb6c8c3284a82bcb309094b29775c8b53398

SHA256
94b116cf355064f4684f0f679927ada612c86ee3ef60767c5fe960632ac5ba0a

SHA512
5dc021524c81d1afdb2d1d8d8d77b1f1c50945e4e39cc5b9450a356c7a1863400c30ecb6152777bf248a8d49056bda7facf6841aca6efa8cb605e9e2483c4cc3

Download Submit
C:\Windows\System\JPvebdZ.exe

Filesize
5.9MB

MD5
4baa30c1a49255ba2e538e87dbc383e6

SHA1
3ce9abc71a4c4a22d1f32fe0c424007d7620612c

SHA256
4ef317395185afcffb0e7c315c19186a468a17885f7307ff89f2e1718dd1b151

SHA512
0aef0bbb58c050d39abd87ab12d466b87cd55c908cddfb955b0d38902a6ff54f0e7cdb38885938e882d70916dee69bafd6df57b64734145da2537b484380cd18

Download Submit
C:\Windows\System\JZKhGDV.exe

Filesize
5.9MB

MD5
b19129daa0250d8aa76aff0e62464fa9

SHA1
c621619b376e1c755fac013976fe73082d07e481

SHA256
6d79d3cbfbaff03f00e6c5be705ee551b645a86c9554ecd3e0d458559ca1ac2d

SHA512
327bc337cf6a00388ce99006b1efe21fdebdd665acfd16f833e4fa285484875bc4986353bde326fa33783c6650d4924b0a2c0aee951357d6099ab9d8dfef6f67

Download Submit
C:\Windows\System\NbudblI.exe

Filesize
5.9MB

MD5
f3352ce4c172be0657463b5d89c69cda

SHA1
98b0905e004eaf5922a509ae6d9dca0fa317eea9

SHA256
9fd2dc1ac4695530c623dbf58d81d641b6d9a742594cf51b7f6bedefccc9ce3c

SHA512
68bbd6b3fccea2d8a06bc33ff43d8e95472e93cc70692c6a8a802f011e6343d7093d5db4106dd68a1055612b7fa7c809a1b2a0ca5b10f911ac85487e97f8781c

Download Submit
C:\Windows\System\SfxPLmk.exe

Filesize
5.9MB

MD5
36b151abfa9442204b6d7d146d7b02f9

SHA1
68515ed5f0fd3987ef0a44db6cf5057744f77a19

SHA256
a3b33d593fdf534fc99f7f2d76922501bee6efd3bd15e396e590d248095fc5d3

SHA512
758a05631fe182cf5f5419b961859be1d29711f9036e4b3265240de9b2c3615d4ee4ea07b6655312659c1772a303598e97f4f463349221a911e35e01af2326b1

Download Submit
C:\Windows\System\TUUbGEM.exe

Filesize
5.9MB

MD5
b92ad4031071711e638346ddb8c3e492

SHA1
b95e75c687c3b6a48bec810e96508156ba23468c

SHA256
5b44134fb474a062301d8beeb92f645e9acfa911c59866b30e99a6fe1521b5c5

SHA512
c6a414be7f89a6cd46225891f322582939b23d71a4e1d156e666824f7c94576915202756a2c27ab296f2de8495f35e6c96a3a116294f637c65c58bf5b995e9bb

Download Submit
C:\Windows\System\YVnprWf.exe

Filesize
5.9MB

MD5
e53e73060800e97cba05f1b0d721a0b2

SHA1
f9383344477deb5debe8d912673f7b859a9003a5

SHA256
b089e193a37a05ad66771672033ce473651b175dc0d290bdc47ad38a5ce5bcbb

SHA512
28660a53150df3c7b2af5318ef67ae10c4aefeca2e41d158a3a42631115a5e4efc98a2867c358a88910957ccdce414f0894d05d392fc4f423e9e9e7aa0796307

Download Submit
C:\Windows\System\ZjuifcE.exe

Filesize
5.9MB

MD5
9aec43a63ab75efcbe18fb4d461ca8d4

SHA1
88a40829a8d465259e2181e2805e93af222c2e7a

SHA256
b8e5bf0f5f2b008a237723a3945a3be561282e998fa4232ce1c4b73bf2fa8b7f

SHA512
cad132ccfe55006c4968a7bbdec6b4cb17df11c23c0e95cf2dcdbd06973481b29806acaf17836dc768938d5ea3f5896f60ad401e79c8b12016283e03570afa85

Download Submit
C:\Windows\System\atGHQUm.exe

Filesize
5.9MB

MD5
9aa2c6117b710db8fb4a039c17e09fff

SHA1
614c3da586068f98bccbe63fce7707478cf0e8da

SHA256
0a0cb661aea779d47d7b963e4ccd934b11906f0dc5e3a950a68ad96e71a0044c

SHA512
a291252819305886ae5114f5a3a1125941d8d8e9a5ff7029cfc4c364577dd758533d1cd60fbe544d4b271eae26be7821a94be81cf23ca7769fc880d184104137

Download Submit
C:\Windows\System\bfccjiH.exe

Filesize
5.9MB

MD5
0fbd435fc21020e0cb743b460238ec83

SHA1
657e1792b90f25a774176f4adc22281602fbc16c

SHA256
cefa5c70bc7a723e60298a326bc67a5d470e561cf8b87bee7164339d5e5a1a83

SHA512
b8cf52f45b0527f718fb4eab9f679b7eea2fd1f975bda57bc2acda60aa0bcd14436baf415640966be539c9d642d656853b01312cec30d28f74196a883602474b

Download Submit
C:\Windows\System\lSSpNQv.exe

Filesize
5.9MB

MD5
ed1ba7ef83a121445b4e3a1b905585ed

SHA1
ec278959e0ba710f70ec6089f74eb89576676856

SHA256
68cee38f3211102df3dc1533da17b1e36bd1766bf525826b38e0aaae62136173

SHA512
f56312948051c1a6fc8f02d1632c619f828e1464d27827e12c859c3fa18d90886aafebcd46b41e2df9af63625c249dcd77e350964f10a3e789d72a83e6a64cea

Download Submit
C:\Windows\System\ndCeNYZ.exe

Filesize
5.9MB

MD5
e43d79c133534d0db56557df6bb1a8de

SHA1
ed08ed9aa22abcbb0a7ba32ca1c2ac887185b6ff

SHA256
3d19427dad55dc955f6d8912ca8b5d91f8bc8ad03a343c886b1413e1e5fef771

SHA512
2bd0705f95df75c5a97170346d5ef51b22c5f9645e836f79e507e92f186e5201eb919f0a3130931ae735fc49a6003971a731476eb4967ec00e1e0e092af2c629

Download Submit
C:\Windows\System\pFmueGc.exe

Filesize
5.9MB

MD5
702ff1fb8fa2c471ef0c5a838ccfc724

SHA1
feebfbccc97cf4615fd31bcd87bf37b61fb417ab

SHA256
49ac8a63cefa6f8e51f435e7cd52180f7df681ec644b11222c9e66cfbc143568

SHA512
2250cb6dcf45caf1e165b0be7498d70f7240298e6ba6cc8f9f898ff89a3ad7c84a397a7d6daabf7851954f4d51311b79c10121e8928a618fc9866d77b998fa0b

Download Submit
C:\Windows\System\qZFmufH.exe

Filesize
5.9MB

MD5
b93009230e258dcbe468410d0c2359f8

SHA1
59cf9771cde658cf59637102186f1c88f4bcec63

SHA256
2265cb0e33123623ae71ac965cefd02620a2b75b1d1a582291b481ebfbda5886

SHA512
9cc6d3f6b691cad5b2a1a57848c4e1c15612481f48c0fb6967974d01098591ad08036ca512578d212dedae7cea9af908b0ad197e3a24918b3c84ecc7f058de72

Download Submit
C:\Windows\System\rwuERGx.exe

Filesize
5.9MB

MD5
70a8bc52ffd09a80adc8ca58b37ea3eb

SHA1
c2be379d8b66a9a8918895b28b05472463256402

SHA256
cc79da4dbe5e640ba4d41fa345713e3d131e83b7244f5cd31507a727d7507300

SHA512
942ce88e4077c15ab85986f019d9d2df9df7d04baf4500bb7892494e84ce3274a03add6a99eeb7d13974a9eda231872d80344037083476e16ac0067865b0f8b8

Download Submit
C:\Windows\System\wTvkNKO.exe

Filesize
5.9MB

MD5
bc0ade021424d0463f09f232610a9900

SHA1
c84cfbad95762b1c94b78f8736c832e869d8fc3b

SHA256
113b3b0ce47ed9461067be1a0a40363cff41fa4f9d92d7e140dfc79eb61fe0d9

SHA512
4a383e82582e411162e41e33a82d1fbee4b793a9d42b261230ae58ba82de3f8837014467ba5335ff9328f8a0ac3df488c2c3aa3a8db3fc76f61f423798f675db

Download Submit
C:\Windows\System\wsHtRUV.exe

Filesize
5.9MB

MD5
f12c20155a1833edc000321beb395ad1

SHA1
1942f45b142c77ca7eee2ce73202c5c5c7c04871

SHA256
ace3fc1de059fdad6ce7321b0fc682dcad4491edc8a3e7e2100e6eef36cdd59b

SHA512
5bb8dd1c40332abaf65ebcf17d5abaa9140a585adea03b613a274174c34e08dec2744f00e7688fa30f1fe8747209386689431d9ac8c0bb49749981f3b3417d32

Download Submit
memory/624-149-0x00007FF76A350000-0x00007FF76A6A4000-memory.dmp

Filesize
3.3MB

Download
memory/624-89-0x00007FF76A350000-0x00007FF76A6A4000-memory.dmp

Filesize
3.3MB

Download
memory/768-86-0x00007FF771400000-0x00007FF771754000-memory.dmp

Filesize
3.3MB

Download
memory/768-146-0x00007FF771400000-0x00007FF771754000-memory.dmp

Filesize
3.3MB

Download
memory/924-0-0x00007FF64A6C0000-0x00007FF64AA14000-memory.dmp

Filesize
3.3MB

Download
memory/924-116-0x00007FF64A6C0000-0x00007FF64AA14000-memory.dmp

Filesize
3.3MB

Download
memory/924-1-0x000001ECA09F0000-0x000001ECA0A00000-memory.dmp

Filesize
64KB

Download
memory/1300-147-0x00007FF7D6190000-0x00007FF7D64E4000-memory.dmp

Filesize
3.3MB

Download
memory/1300-85-0x00007FF7D6190000-0x00007FF7D64E4000-memory.dmp

Filesize
3.3MB

Download
memory/1332-151-0x00007FF6DAC20000-0x00007FF6DAF74000-memory.dmp

Filesize
3.3MB

Download
memory/1332-90-0x00007FF6DAC20000-0x00007FF6DAF74000-memory.dmp

Filesize
3.3MB

Download
memory/1332-134-0x00007FF6DAC20000-0x00007FF6DAF74000-memory.dmp

Filesize
3.3MB

Download
memory/1740-155-0x00007FF6EF170000-0x00007FF6EF4C4000-memory.dmp

Filesize
3.3MB

Download
memory/1740-117-0x00007FF6EF170000-0x00007FF6EF4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2044-144-0x00007FF7A2CC0000-0x00007FF7A3014000-memory.dmp

Filesize
3.3MB

Download
memory/2044-133-0x00007FF7A2CC0000-0x00007FF7A3014000-memory.dmp

Filesize
3.3MB

Download
memory/2044-83-0x00007FF7A2CC0000-0x00007FF7A3014000-memory.dmp

Filesize
3.3MB

Download
memory/2548-154-0x00007FF72B510000-0x00007FF72B864000-memory.dmp

Filesize
3.3MB

Download
memory/2548-110-0x00007FF72B510000-0x00007FF72B864000-memory.dmp

Filesize
3.3MB

Download
memory/2760-145-0x00007FF7D39A0000-0x00007FF7D3CF4000-memory.dmp

Filesize
3.3MB

Download
memory/2760-92-0x00007FF7D39A0000-0x00007FF7D3CF4000-memory.dmp

Filesize
3.3MB

Download
memory/3104-141-0x00007FF65B560000-0x00007FF65B8B4000-memory.dmp

Filesize
3.3MB

Download
memory/3104-39-0x00007FF65B560000-0x00007FF65B8B4000-memory.dmp

Filesize
3.3MB

Download
memory/3104-132-0x00007FF65B560000-0x00007FF65B8B4000-memory.dmp

Filesize
3.3MB

Download
memory/3108-88-0x00007FF6AB5E0000-0x00007FF6AB934000-memory.dmp

Filesize
3.3MB

Download
memory/3108-150-0x00007FF6AB5E0000-0x00007FF6AB934000-memory.dmp

Filesize
3.3MB

Download
memory/3112-139-0x00007FF648970000-0x00007FF648CC4000-memory.dmp

Filesize
3.3MB

Download
memory/3112-23-0x00007FF648970000-0x00007FF648CC4000-memory.dmp

Filesize
3.3MB

Download
memory/3112-130-0x00007FF648970000-0x00007FF648CC4000-memory.dmp

Filesize
3.3MB

Download
memory/3144-129-0x00007FF604360000-0x00007FF6046B4000-memory.dmp

Filesize
3.3MB

Download
memory/3144-156-0x00007FF604360000-0x00007FF6046B4000-memory.dmp

Filesize
3.3MB

Download
memory/3400-84-0x00007FF73F4A0000-0x00007FF73F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/3400-142-0x00007FF73F4A0000-0x00007FF73F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/3504-87-0x00007FF72BF50000-0x00007FF72C2A4000-memory.dmp

Filesize
3.3MB

Download
memory/3504-148-0x00007FF72BF50000-0x00007FF72C2A4000-memory.dmp

Filesize
3.3MB

Download
memory/3520-138-0x00007FF6A1310000-0x00007FF6A1664000-memory.dmp

Filesize
3.3MB

Download
memory/3520-17-0x00007FF6A1310000-0x00007FF6A1664000-memory.dmp

Filesize
3.3MB

Download
memory/3876-91-0x00007FF69C340000-0x00007FF69C694000-memory.dmp

Filesize
3.3MB

Download
memory/3876-152-0x00007FF69C340000-0x00007FF69C694000-memory.dmp

Filesize
3.3MB

Download
memory/3876-135-0x00007FF69C340000-0x00007FF69C694000-memory.dmp

Filesize
3.3MB

Download
memory/4376-140-0x00007FF648470000-0x00007FF6487C4000-memory.dmp

Filesize
3.3MB

Download
memory/4376-30-0x00007FF648470000-0x00007FF6487C4000-memory.dmp

Filesize
3.3MB

Download
memory/4376-131-0x00007FF648470000-0x00007FF6487C4000-memory.dmp

Filesize
3.3MB

Download
memory/4428-93-0x00007FF612AA0000-0x00007FF612DF4000-memory.dmp

Filesize
3.3MB

Download
memory/4428-143-0x00007FF612AA0000-0x00007FF612DF4000-memory.dmp

Filesize
3.3MB

Download
memory/4504-104-0x00007FF72EEA0000-0x00007FF72F1F4000-memory.dmp

Filesize
3.3MB

Download
memory/4504-153-0x00007FF72EEA0000-0x00007FF72F1F4000-memory.dmp

Filesize
3.3MB

Download
memory/4724-8-0x00007FF7C2140000-0x00007FF7C2494000-memory.dmp

Filesize
3.3MB

Download
memory/4724-128-0x00007FF7C2140000-0x00007FF7C2494000-memory.dmp

Filesize
3.3MB

Download
memory/4724-137-0x00007FF7C2140000-0x00007FF7C2494000-memory.dmp

Filesize
3.3MB

Download
memory/4728-136-0x00007FF75A790000-0x00007FF75AAE4000-memory.dmp

Filesize
3.3MB

Download
memory/4728-122-0x00007FF75A790000-0x00007FF75AAE4000-memory.dmp

Filesize
3.3MB

Download
memory/4728-157-0x00007FF75A790000-0x00007FF75AAE4000-memory.dmp

Filesize
3.3MB

Download