cobaltstrike | 9276146a0daaea319db5b7861006417b8bc1a86051ee8dedd9ae4016549de96d

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 15:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

60bf0c1a92219729bb9232061c7e9445
SHA1

4bf1388359e5cd539330a6ee421aee3e7a355c30
SHA256

9276146a0daaea319db5b7861006417b8bc1a86051ee8dedd9ae4016549de96d
SHA512

10c9d8947987061888f7d5f864bec9c9c3f78b1a053413943ce0075b396a02e41de760510c974e78429d74fee419d1808e158eb94c81e3ecc8c7a38f79c2324e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibf56utgpPFotBER/mQ32lU4

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002326a-4.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002326d-10.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023272-11.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002326e-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023273-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023274-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023275-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023276-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023277-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023278-59.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002327a-71.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002327b-74.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002327c-78.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002327d-84.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002327e-89.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002327f-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023280-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023281-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023282-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023283-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023284-118.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x000800000002326a-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002326d-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023272-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002326e-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023273-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023274-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023275-42.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023276-48.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023277-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023278-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002327a-71.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002327b-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002327c-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002327d-84.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002327e-89.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002327f-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023280-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023281-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023282-109.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023283-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023284-118.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1972-0-0x00007FF70D6D0000-0x00007FF70DA21000-memory.dmp	UPX
behavioral2/files/0x000800000002326a-4.dat	UPX
behavioral2/memory/4016-8-0x00007FF71FEF0000-0x00007FF720241000-memory.dmp	UPX
behavioral2/files/0x000800000002326d-10.dat	UPX
behavioral2/memory/1216-13-0x00007FF69ABF0000-0x00007FF69AF41000-memory.dmp	UPX
behavioral2/files/0x0008000000023272-11.dat	UPX
behavioral2/memory/3576-20-0x00007FF7B9090000-0x00007FF7B93E1000-memory.dmp	UPX
behavioral2/files/0x000800000002326e-23.dat	UPX
behavioral2/files/0x0007000000023273-28.dat	UPX
behavioral2/memory/1724-25-0x00007FF607880000-0x00007FF607BD1000-memory.dmp	UPX
behavioral2/memory/5068-32-0x00007FF7CD4C0000-0x00007FF7CD811000-memory.dmp	UPX
behavioral2/files/0x0007000000023274-36.dat	UPX
behavioral2/files/0x0007000000023275-42.dat	UPX
behavioral2/memory/3304-40-0x00007FF629C30000-0x00007FF629F81000-memory.dmp	UPX
behavioral2/files/0x0007000000023276-48.dat	UPX
behavioral2/files/0x0007000000023277-52.dat	UPX
behavioral2/memory/228-50-0x00007FF7AC1A0000-0x00007FF7AC4F1000-memory.dmp	UPX
behavioral2/memory/3092-46-0x00007FF6FC0F0000-0x00007FF6FC441000-memory.dmp	UPX
behavioral2/files/0x0007000000023278-59.dat	UPX
behavioral2/memory/4984-61-0x00007FF6BDDC0000-0x00007FF6BE111000-memory.dmp	UPX
behavioral2/memory/912-66-0x00007FF6F2290000-0x00007FF6F25E1000-memory.dmp	UPX
behavioral2/memory/4016-67-0x00007FF71FEF0000-0x00007FF720241000-memory.dmp	UPX
behavioral2/files/0x000700000002327a-71.dat	UPX
behavioral2/files/0x000700000002327b-74.dat	UPX
behavioral2/files/0x000700000002327c-78.dat	UPX
behavioral2/files/0x000700000002327d-84.dat	UPX
behavioral2/files/0x000700000002327e-89.dat	UPX
behavioral2/files/0x000700000002327f-94.dat	UPX
behavioral2/files/0x0007000000023280-99.dat	UPX
behavioral2/files/0x0007000000023281-104.dat	UPX
behavioral2/files/0x0007000000023282-109.dat	UPX
behavioral2/files/0x0007000000023283-114.dat	UPX
behavioral2/files/0x0007000000023284-118.dat	UPX
behavioral2/memory/4640-68-0x00007FF636000000-0x00007FF636351000-memory.dmp	UPX
behavioral2/memory/1972-62-0x00007FF70D6D0000-0x00007FF70DA21000-memory.dmp	UPX
behavioral2/memory/5068-125-0x00007FF7CD4C0000-0x00007FF7CD811000-memory.dmp	UPX
behavioral2/memory/1724-124-0x00007FF607880000-0x00007FF607BD1000-memory.dmp	UPX
behavioral2/memory/228-128-0x00007FF7AC1A0000-0x00007FF7AC4F1000-memory.dmp	UPX
behavioral2/memory/1216-122-0x00007FF69ABF0000-0x00007FF69AF41000-memory.dmp	UPX
behavioral2/memory/796-132-0x00007FF7D48B0000-0x00007FF7D4C01000-memory.dmp	UPX
behavioral2/memory/1568-133-0x00007FF613750000-0x00007FF613AA1000-memory.dmp	UPX
behavioral2/memory/4640-131-0x00007FF636000000-0x00007FF636351000-memory.dmp	UPX
behavioral2/memory/1972-120-0x00007FF70D6D0000-0x00007FF70DA21000-memory.dmp	UPX
behavioral2/memory/3864-134-0x00007FF6D8180000-0x00007FF6D84D1000-memory.dmp	UPX
behavioral2/memory/1440-137-0x00007FF68C880000-0x00007FF68CBD1000-memory.dmp	UPX
behavioral2/memory/4452-136-0x00007FF648270000-0x00007FF6485C1000-memory.dmp	UPX
behavioral2/memory/4348-139-0x00007FF714F50000-0x00007FF7152A1000-memory.dmp	UPX
behavioral2/memory/4520-135-0x00007FF77C360000-0x00007FF77C6B1000-memory.dmp	UPX
behavioral2/memory/3100-138-0x00007FF6DC230000-0x00007FF6DC581000-memory.dmp	UPX
behavioral2/memory/2496-140-0x00007FF7614E0000-0x00007FF761831000-memory.dmp	UPX
behavioral2/memory/3188-141-0x00007FF67E9E0000-0x00007FF67ED31000-memory.dmp	UPX
behavioral2/memory/1972-142-0x00007FF70D6D0000-0x00007FF70DA21000-memory.dmp	UPX
behavioral2/memory/4016-190-0x00007FF71FEF0000-0x00007FF720241000-memory.dmp	UPX
behavioral2/memory/1216-192-0x00007FF69ABF0000-0x00007FF69AF41000-memory.dmp	UPX
behavioral2/memory/3576-194-0x00007FF7B9090000-0x00007FF7B93E1000-memory.dmp	UPX
behavioral2/memory/1724-196-0x00007FF607880000-0x00007FF607BD1000-memory.dmp	UPX
behavioral2/memory/5068-198-0x00007FF7CD4C0000-0x00007FF7CD811000-memory.dmp	UPX
behavioral2/memory/3304-203-0x00007FF629C30000-0x00007FF629F81000-memory.dmp	UPX
behavioral2/memory/3092-205-0x00007FF6FC0F0000-0x00007FF6FC441000-memory.dmp	UPX
behavioral2/memory/228-207-0x00007FF7AC1A0000-0x00007FF7AC4F1000-memory.dmp	UPX
behavioral2/memory/4984-209-0x00007FF6BDDC0000-0x00007FF6BE111000-memory.dmp	UPX
behavioral2/memory/912-211-0x00007FF6F2290000-0x00007FF6F25E1000-memory.dmp	UPX
behavioral2/memory/4640-213-0x00007FF636000000-0x00007FF636351000-memory.dmp	UPX
behavioral2/memory/1568-216-0x00007FF613750000-0x00007FF613AA1000-memory.dmp	UPX

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral2/memory/3576-20-0x00007FF7B9090000-0x00007FF7B93E1000-memory.dmp	xmrig
behavioral2/memory/3304-40-0x00007FF629C30000-0x00007FF629F81000-memory.dmp	xmrig
behavioral2/memory/3092-46-0x00007FF6FC0F0000-0x00007FF6FC441000-memory.dmp	xmrig
behavioral2/memory/4984-61-0x00007FF6BDDC0000-0x00007FF6BE111000-memory.dmp	xmrig
behavioral2/memory/912-66-0x00007FF6F2290000-0x00007FF6F25E1000-memory.dmp	xmrig
behavioral2/memory/4016-67-0x00007FF71FEF0000-0x00007FF720241000-memory.dmp	xmrig
behavioral2/memory/1972-62-0x00007FF70D6D0000-0x00007FF70DA21000-memory.dmp	xmrig
behavioral2/memory/5068-125-0x00007FF7CD4C0000-0x00007FF7CD811000-memory.dmp	xmrig
behavioral2/memory/1724-124-0x00007FF607880000-0x00007FF607BD1000-memory.dmp	xmrig
behavioral2/memory/228-128-0x00007FF7AC1A0000-0x00007FF7AC4F1000-memory.dmp	xmrig
behavioral2/memory/1216-122-0x00007FF69ABF0000-0x00007FF69AF41000-memory.dmp	xmrig
behavioral2/memory/796-132-0x00007FF7D48B0000-0x00007FF7D4C01000-memory.dmp	xmrig
behavioral2/memory/1568-133-0x00007FF613750000-0x00007FF613AA1000-memory.dmp	xmrig
behavioral2/memory/4640-131-0x00007FF636000000-0x00007FF636351000-memory.dmp	xmrig
behavioral2/memory/1972-120-0x00007FF70D6D0000-0x00007FF70DA21000-memory.dmp	xmrig
behavioral2/memory/3864-134-0x00007FF6D8180000-0x00007FF6D84D1000-memory.dmp	xmrig
behavioral2/memory/1440-137-0x00007FF68C880000-0x00007FF68CBD1000-memory.dmp	xmrig
behavioral2/memory/4452-136-0x00007FF648270000-0x00007FF6485C1000-memory.dmp	xmrig
behavioral2/memory/4348-139-0x00007FF714F50000-0x00007FF7152A1000-memory.dmp	xmrig
behavioral2/memory/4520-135-0x00007FF77C360000-0x00007FF77C6B1000-memory.dmp	xmrig
behavioral2/memory/3100-138-0x00007FF6DC230000-0x00007FF6DC581000-memory.dmp	xmrig
behavioral2/memory/2496-140-0x00007FF7614E0000-0x00007FF761831000-memory.dmp	xmrig
behavioral2/memory/3188-141-0x00007FF67E9E0000-0x00007FF67ED31000-memory.dmp	xmrig
behavioral2/memory/1972-142-0x00007FF70D6D0000-0x00007FF70DA21000-memory.dmp	xmrig
behavioral2/memory/4016-190-0x00007FF71FEF0000-0x00007FF720241000-memory.dmp	xmrig
behavioral2/memory/1216-192-0x00007FF69ABF0000-0x00007FF69AF41000-memory.dmp	xmrig
behavioral2/memory/3576-194-0x00007FF7B9090000-0x00007FF7B93E1000-memory.dmp	xmrig
behavioral2/memory/1724-196-0x00007FF607880000-0x00007FF607BD1000-memory.dmp	xmrig
behavioral2/memory/5068-198-0x00007FF7CD4C0000-0x00007FF7CD811000-memory.dmp	xmrig
behavioral2/memory/3304-203-0x00007FF629C30000-0x00007FF629F81000-memory.dmp	xmrig
behavioral2/memory/3092-205-0x00007FF6FC0F0000-0x00007FF6FC441000-memory.dmp	xmrig
behavioral2/memory/228-207-0x00007FF7AC1A0000-0x00007FF7AC4F1000-memory.dmp	xmrig
behavioral2/memory/4984-209-0x00007FF6BDDC0000-0x00007FF6BE111000-memory.dmp	xmrig
behavioral2/memory/912-211-0x00007FF6F2290000-0x00007FF6F25E1000-memory.dmp	xmrig
behavioral2/memory/4640-213-0x00007FF636000000-0x00007FF636351000-memory.dmp	xmrig
behavioral2/memory/1568-216-0x00007FF613750000-0x00007FF613AA1000-memory.dmp	xmrig
behavioral2/memory/796-217-0x00007FF7D48B0000-0x00007FF7D4C01000-memory.dmp	xmrig
behavioral2/memory/3864-221-0x00007FF6D8180000-0x00007FF6D84D1000-memory.dmp	xmrig
behavioral2/memory/1440-225-0x00007FF68C880000-0x00007FF68CBD1000-memory.dmp	xmrig
behavioral2/memory/4520-223-0x00007FF77C360000-0x00007FF77C6B1000-memory.dmp	xmrig
behavioral2/memory/4452-220-0x00007FF648270000-0x00007FF6485C1000-memory.dmp	xmrig
behavioral2/memory/3188-229-0x00007FF67E9E0000-0x00007FF67ED31000-memory.dmp	xmrig
behavioral2/memory/4348-233-0x00007FF714F50000-0x00007FF7152A1000-memory.dmp	xmrig
behavioral2/memory/2496-232-0x00007FF7614E0000-0x00007FF761831000-memory.dmp	xmrig
behavioral2/memory/3100-231-0x00007FF6DC230000-0x00007FF6DC581000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4016	czSeTGB.exe
1216	OLniSVd.exe
3576	WKhDgqb.exe
1724	PaWmBoS.exe
5068	xvzVDbq.exe
3304	WbpWkBO.exe
3092	tDYZmYw.exe
228	JmgvKCp.exe
4984	NbAkVOp.exe
912	taGzSGf.exe
4640	WFuxvXR.exe
796	OWCllxY.exe
1568	UWakrxO.exe
3864	PhGwHsm.exe
4520	aVmixyP.exe
4452	yPwMBPN.exe
1440	dWjTKyg.exe
3100	KLivjdl.exe
4348	UfOjyHh.exe
2496	myMjFlw.exe
3188	lptmEJj.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1972-0-0x00007FF70D6D0000-0x00007FF70DA21000-memory.dmp	upx
behavioral2/files/0x000800000002326a-4.dat	upx
behavioral2/memory/4016-8-0x00007FF71FEF0000-0x00007FF720241000-memory.dmp	upx
behavioral2/files/0x000800000002326d-10.dat	upx
behavioral2/memory/1216-13-0x00007FF69ABF0000-0x00007FF69AF41000-memory.dmp	upx
behavioral2/files/0x0008000000023272-11.dat	upx
behavioral2/memory/3576-20-0x00007FF7B9090000-0x00007FF7B93E1000-memory.dmp	upx
behavioral2/files/0x000800000002326e-23.dat	upx
behavioral2/files/0x0007000000023273-28.dat	upx
behavioral2/memory/1724-25-0x00007FF607880000-0x00007FF607BD1000-memory.dmp	upx
behavioral2/memory/5068-32-0x00007FF7CD4C0000-0x00007FF7CD811000-memory.dmp	upx
behavioral2/files/0x0007000000023274-36.dat	upx
behavioral2/files/0x0007000000023275-42.dat	upx
behavioral2/memory/3304-40-0x00007FF629C30000-0x00007FF629F81000-memory.dmp	upx
behavioral2/files/0x0007000000023276-48.dat	upx
behavioral2/files/0x0007000000023277-52.dat	upx
behavioral2/memory/228-50-0x00007FF7AC1A0000-0x00007FF7AC4F1000-memory.dmp	upx
behavioral2/memory/3092-46-0x00007FF6FC0F0000-0x00007FF6FC441000-memory.dmp	upx
behavioral2/files/0x0007000000023278-59.dat	upx
behavioral2/memory/4984-61-0x00007FF6BDDC0000-0x00007FF6BE111000-memory.dmp	upx
behavioral2/memory/912-66-0x00007FF6F2290000-0x00007FF6F25E1000-memory.dmp	upx
behavioral2/memory/4016-67-0x00007FF71FEF0000-0x00007FF720241000-memory.dmp	upx
behavioral2/files/0x000700000002327a-71.dat	upx
behavioral2/files/0x000700000002327b-74.dat	upx
behavioral2/files/0x000700000002327c-78.dat	upx
behavioral2/files/0x000700000002327d-84.dat	upx
behavioral2/files/0x000700000002327e-89.dat	upx
behavioral2/files/0x000700000002327f-94.dat	upx
behavioral2/files/0x0007000000023280-99.dat	upx
behavioral2/files/0x0007000000023281-104.dat	upx
behavioral2/files/0x0007000000023282-109.dat	upx
behavioral2/files/0x0007000000023283-114.dat	upx
behavioral2/files/0x0007000000023284-118.dat	upx
behavioral2/memory/4640-68-0x00007FF636000000-0x00007FF636351000-memory.dmp	upx
behavioral2/memory/1972-62-0x00007FF70D6D0000-0x00007FF70DA21000-memory.dmp	upx
behavioral2/memory/5068-125-0x00007FF7CD4C0000-0x00007FF7CD811000-memory.dmp	upx
behavioral2/memory/1724-124-0x00007FF607880000-0x00007FF607BD1000-memory.dmp	upx
behavioral2/memory/228-128-0x00007FF7AC1A0000-0x00007FF7AC4F1000-memory.dmp	upx
behavioral2/memory/1216-122-0x00007FF69ABF0000-0x00007FF69AF41000-memory.dmp	upx
behavioral2/memory/796-132-0x00007FF7D48B0000-0x00007FF7D4C01000-memory.dmp	upx
behavioral2/memory/1568-133-0x00007FF613750000-0x00007FF613AA1000-memory.dmp	upx
behavioral2/memory/4640-131-0x00007FF636000000-0x00007FF636351000-memory.dmp	upx
behavioral2/memory/1972-120-0x00007FF70D6D0000-0x00007FF70DA21000-memory.dmp	upx
behavioral2/memory/3864-134-0x00007FF6D8180000-0x00007FF6D84D1000-memory.dmp	upx
behavioral2/memory/1440-137-0x00007FF68C880000-0x00007FF68CBD1000-memory.dmp	upx
behavioral2/memory/4452-136-0x00007FF648270000-0x00007FF6485C1000-memory.dmp	upx
behavioral2/memory/4348-139-0x00007FF714F50000-0x00007FF7152A1000-memory.dmp	upx
behavioral2/memory/4520-135-0x00007FF77C360000-0x00007FF77C6B1000-memory.dmp	upx
behavioral2/memory/3100-138-0x00007FF6DC230000-0x00007FF6DC581000-memory.dmp	upx
behavioral2/memory/2496-140-0x00007FF7614E0000-0x00007FF761831000-memory.dmp	upx
behavioral2/memory/3188-141-0x00007FF67E9E0000-0x00007FF67ED31000-memory.dmp	upx
behavioral2/memory/1972-142-0x00007FF70D6D0000-0x00007FF70DA21000-memory.dmp	upx
behavioral2/memory/4016-190-0x00007FF71FEF0000-0x00007FF720241000-memory.dmp	upx
behavioral2/memory/1216-192-0x00007FF69ABF0000-0x00007FF69AF41000-memory.dmp	upx
behavioral2/memory/3576-194-0x00007FF7B9090000-0x00007FF7B93E1000-memory.dmp	upx
behavioral2/memory/1724-196-0x00007FF607880000-0x00007FF607BD1000-memory.dmp	upx
behavioral2/memory/5068-198-0x00007FF7CD4C0000-0x00007FF7CD811000-memory.dmp	upx
behavioral2/memory/3304-203-0x00007FF629C30000-0x00007FF629F81000-memory.dmp	upx
behavioral2/memory/3092-205-0x00007FF6FC0F0000-0x00007FF6FC441000-memory.dmp	upx
behavioral2/memory/228-207-0x00007FF7AC1A0000-0x00007FF7AC4F1000-memory.dmp	upx
behavioral2/memory/4984-209-0x00007FF6BDDC0000-0x00007FF6BE111000-memory.dmp	upx
behavioral2/memory/912-211-0x00007FF6F2290000-0x00007FF6F25E1000-memory.dmp	upx
behavioral2/memory/4640-213-0x00007FF636000000-0x00007FF636351000-memory.dmp	upx
behavioral2/memory/1568-216-0x00007FF613750000-0x00007FF613AA1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\OLniSVd.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tDYZmYw.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NbAkVOp.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KLivjdl.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JmgvKCp.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\myMjFlw.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lptmEJj.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UWakrxO.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aVmixyP.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yPwMBPN.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\czSeTGB.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xvzVDbq.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WbpWkBO.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WFuxvXR.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OWCllxY.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UfOjyHh.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WKhDgqb.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PaWmBoS.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\taGzSGf.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PhGwHsm.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dWjTKyg.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 4016	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	92
PID 1972 wrote to memory of 4016	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	92
PID 1972 wrote to memory of 1216	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	93
PID 1972 wrote to memory of 1216	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	93
PID 1972 wrote to memory of 3576	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	94
PID 1972 wrote to memory of 3576	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	94
PID 1972 wrote to memory of 1724	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	95
PID 1972 wrote to memory of 1724	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	95
PID 1972 wrote to memory of 5068	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	96
PID 1972 wrote to memory of 5068	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	96
PID 1972 wrote to memory of 3304	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	97
PID 1972 wrote to memory of 3304	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	97
PID 1972 wrote to memory of 3092	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	98
PID 1972 wrote to memory of 3092	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	98
PID 1972 wrote to memory of 228	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	99
PID 1972 wrote to memory of 228	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	99
PID 1972 wrote to memory of 4984	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	100
PID 1972 wrote to memory of 4984	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	100
PID 1972 wrote to memory of 912	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	101
PID 1972 wrote to memory of 912	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	101
PID 1972 wrote to memory of 4640	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	102
PID 1972 wrote to memory of 4640	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	102
PID 1972 wrote to memory of 796	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	103
PID 1972 wrote to memory of 796	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	103
PID 1972 wrote to memory of 1568	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	104
PID 1972 wrote to memory of 1568	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	104
PID 1972 wrote to memory of 3864	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	105
PID 1972 wrote to memory of 3864	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	105
PID 1972 wrote to memory of 4520	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	106
PID 1972 wrote to memory of 4520	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	106
PID 1972 wrote to memory of 4452	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	107
PID 1972 wrote to memory of 4452	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	107
PID 1972 wrote to memory of 1440	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	108
PID 1972 wrote to memory of 1440	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	108
PID 1972 wrote to memory of 3100	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	109
PID 1972 wrote to memory of 3100	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	109
PID 1972 wrote to memory of 4348	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	110
PID 1972 wrote to memory of 4348	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	110
PID 1972 wrote to memory of 2496	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	111
PID 1972 wrote to memory of 2496	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	111
PID 1972 wrote to memory of 3188	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	112
PID 1972 wrote to memory of 3188	1972	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	112

C:\Users\Admin\AppData\Local\Temp\2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\System\czSeTGB.exe
  C:\Windows\System\czSeTGB.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\OLniSVd.exe
  C:\Windows\System\OLniSVd.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\WKhDgqb.exe
  C:\Windows\System\WKhDgqb.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\PaWmBoS.exe
  C:\Windows\System\PaWmBoS.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\xvzVDbq.exe
  C:\Windows\System\xvzVDbq.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\WbpWkBO.exe
  C:\Windows\System\WbpWkBO.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System\tDYZmYw.exe
  C:\Windows\System\tDYZmYw.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System\JmgvKCp.exe
  C:\Windows\System\JmgvKCp.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\NbAkVOp.exe
  C:\Windows\System\NbAkVOp.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\taGzSGf.exe
  C:\Windows\System\taGzSGf.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\System\WFuxvXR.exe
  C:\Windows\System\WFuxvXR.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\OWCllxY.exe
  C:\Windows\System\OWCllxY.exe
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\System\UWakrxO.exe
  C:\Windows\System\UWakrxO.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\PhGwHsm.exe
  C:\Windows\System\PhGwHsm.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System\aVmixyP.exe
  C:\Windows\System\aVmixyP.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\yPwMBPN.exe
  C:\Windows\System\yPwMBPN.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\dWjTKyg.exe
  C:\Windows\System\dWjTKyg.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\KLivjdl.exe
  C:\Windows\System\KLivjdl.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System\UfOjyHh.exe
  C:\Windows\System\UfOjyHh.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System\myMjFlw.exe
  C:\Windows\System\myMjFlw.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\lptmEJj.exe
  C:\Windows\System\lptmEJj.exe
  2⤵
  - Executes dropped EXE
  PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:4276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\JmgvKCp.exe

Filesize
5.2MB

MD5
3963ae85c63822c822d187478d9c1ec0

SHA1
fd2d6f8f4f0f271b5b9c6f191bca6948a8f957a4

SHA256
80b873b4aa26495f219464d5cd5d2b62789d410b280239c625a904ee088071c1

SHA512
6b2aabb50dde7502ebda184f4442367111097bb952a042b52e5722680e0bacc1ab83000068ec650cc3dc958b2b84e80a3dcf4ef4045d57cdb6e0209fa14f36a7

Download Submit
C:\Windows\System\KLivjdl.exe

Filesize
5.2MB

MD5
7580a84cfc0cd243b81514233cd3e803

SHA1
4ae802a6d730b053feaae983905d3598c036e733

SHA256
bca6c2ae9066f9c3e0c17b37a837efc776bb64c63b89185df71b082207b983f1

SHA512
d39a548ab76f3a9b21a4081af3f2271eb06fc748bd0d8e827be21597d924c824e0e399c3af62584dd9fdedd4dd565316bd306b65f475910b95f5a605fe288955

Download Submit
C:\Windows\System\NbAkVOp.exe

Filesize
5.2MB

MD5
5acd0925432a95cb731960e4fcb951b5

SHA1
3ecc323cd9107c9b669fda82b09683a75be638f8

SHA256
df028d059fa314c1380c13d7eade49c0239fed3eba24b78903e404fc868bbf82

SHA512
2694070d17f8640729d23d967ab97fadf5e54fa971d3dfc1d2229cc1bf96b0287d436c8a16c1df463be4d5fb5d832007a97dcd82d4b9a83f93720c4f95f59923

Download Submit
C:\Windows\System\OLniSVd.exe

Filesize
5.2MB

MD5
8b6e8c27acd073124d58c43f5f702c5b

SHA1
f91d1e2b1797b1b3262e326226f58292880cdbc2

SHA256
2939b973a60baa56210c21bf1990131e00d460d44872a7ff681b793eb396dbcf

SHA512
aef584aac9f00db5682289a1f58723d5319b897a1e5a83051ebb3476dbe2baaf0d28630e8254c8d8a89f7ec7f7410ce883c3554c9f46931a5652c6f9f8be1a4f

Download Submit
C:\Windows\System\OWCllxY.exe

Filesize
5.2MB

MD5
e66f72794fddc34f530ffa996d6a0952

SHA1
cd68fe97b53981470fd011255faa4b3c00cd75ba

SHA256
a04b0c249619ab4975e51ac858e126302a1fe1799e26c38615b72aa5bb446cec

SHA512
bd37be524e204acfc195c46356690407928d10548b57e2ba245a3d61d16e4fd6a1b7ebed801bc000042d7e5ad2ffde670e388ee6f0b8083d580b53fc25633361

Download Submit
C:\Windows\System\PaWmBoS.exe

Filesize
5.2MB

MD5
04056ba7e4b29783a5a5367d7f7fe055

SHA1
d8a4225321cd62b2389e2d06e3952ce3b0e23786

SHA256
d814b3425fab97b30c4d89d72e6601ffd1028d45899f81956f542a397a4aa27c

SHA512
4b048482c1b78d7747fa4e6faed305466bdacf31c0b98950a355a50bf2ef9645d7a362f89273be825dc566e13010af4af5b6a51895633df54cf847d5543c8449

Download Submit
C:\Windows\System\PhGwHsm.exe

Filesize
5.2MB

MD5
d6179090015c632326f262269bdedcd5

SHA1
664ecd5238ff689d5b0a662825de619d775eb23d

SHA256
e4b40a64e6bae168cf55c1bc72689d23a3b0cb3e2e5437ec276a67c36a1368be

SHA512
c34878daff60ed3066f86dfdfca21de5abee574b7774a26a6ce700c4aeca3435deb8fb43d6f73d4a8ce7456272d07826bb475ae49774f6bbba657ea49eaf5fc7

Download Submit
C:\Windows\System\UWakrxO.exe

Filesize
5.2MB

MD5
83a698a08da152ced7494b552aa0ba52

SHA1
b2f965363c42e5e3ab3a23425e3cef1d151320d7

SHA256
05f78a67cd3ff55d15185277ff2995375552591633836fd2763057c9e1b55701

SHA512
c41df9828daafb526e63f6da42da15f816d0692e3483046d6957ada2ddb525e69c42a38b4ac23b607c5aec5f0b9ffb7859c29af835e09910090c7304982bf542

Download Submit
C:\Windows\System\UfOjyHh.exe

Filesize
5.2MB

MD5
f89335125092e8b20ba16ecc333b27a9

SHA1
cebc74065bfab244c1370fbaacd21689cb6d9a6c

SHA256
be16512275ae6da6c360d1ab2131d3d3da36fd05720368cad50acf41faa78459

SHA512
ca5c9558f883ce89aabf79b578608a87c47da48a3f20ad7c8bf8af4ecf1c6ef8d9602f7f7632488c9a433dba6c4ce5a3455c0cccdbd10f2a642feea219022f3e

Download Submit
C:\Windows\System\WFuxvXR.exe

Filesize
5.2MB

MD5
f08adce0741ce8ffd65088bf2fb47216

SHA1
0fe2a982823720f4c496f3536a1e0a8e372b1936

SHA256
fd4f246136f1d30cfd1ec615c93fabfffbdf78ecb5c2582fcc7be0a01a2de6a4

SHA512
a462763d525b54bef95cb3e52171ef03729fea7de273a6730b5e5d4f0aeef1463a8922ffc69630f592b52d5afff9a03cfb1f6d7057a870ee54b1b051bd04773c

Download Submit
C:\Windows\System\WKhDgqb.exe

Filesize
5.2MB

MD5
1c48d1af9e68e578ef00a2f90d0d82e4

SHA1
f07313a083d89c81ac8b588584d437677f03ffd6

SHA256
62604f1d8d6dd2a157cdc7faa4936cba618fd94e9328083bae4eb259efb73849

SHA512
a37e864c26ce4a5f3cce0d5f3482571af254d36abbc0069c9c026fc561769593663949f1356b1818f03977de5c0a8325f064cf2f0d5f6d37d0b290c537600b64

Download Submit
C:\Windows\System\WbpWkBO.exe

Filesize
5.2MB

MD5
41310c6fb985669dc4568af25d92d784

SHA1
fc1b226893b6e3c1e8333fe523514b40f1470e14

SHA256
b2e547a2647d54dcf1c384db933c9c21689c0fb2281df778b7f0095d3974c87a

SHA512
99b68be35857a8c59db9fa62a4542b8b50c98202345788cb5f9f146988aa74f72f1d6eedf84019c6839b5330fa726d71392757db5125c0af180da09a59e37045

Download Submit
C:\Windows\System\aVmixyP.exe

Filesize
5.2MB

MD5
ef3d90f072fa74ce4ebfaa25e11684b6

SHA1
0469058a6ab051919e85210a17f13ae9c7a5a58a

SHA256
8b8a3eaaad66824041dc6757595cf591871ac3774332e7298629480d46a34508

SHA512
8fd04935ddfbcfadf7911ffbaa5543d44aae75216f53da6deddf15069ccd2eab03c439aa0ff39a34467e392d1043f118fe27298e6ec84513367a801b91edc233

Download Submit
C:\Windows\System\czSeTGB.exe

Filesize
5.2MB

MD5
b86effad55e5c8c24fb345cc9a469428

SHA1
5c225ab0bbc3d32efff1ff53989e885c47e3707f

SHA256
3c2712af225f8e04e10b3997edbfa3825f435cd258298c7499271de8bf5a4364

SHA512
1bc40971382f53abfbd895550be85121ca859f17966f238871594d7bc297ac51aedfa24ef50211b365172792858232d09feba4b99d277573ce934f1d8b09bab8

Download Submit
C:\Windows\System\dWjTKyg.exe

Filesize
5.2MB

MD5
cfcc649b756e9c8cf32f3e7a254f63ca

SHA1
f8c4db4f7929c43ae87f02c6828948db686b5efd

SHA256
a54954221282cdcc3d04247f5ad7ae0b96e08f8526c353a9c02c092bc846fd31

SHA512
0c32bc5bad1d3defb9f82a91c0ee22335a19775aff4313d6bb0af6cf5d91b102e90787ef68f76c4b64c78795d0a00f7bceb08197def7cbe64e25889c842b6c9e

Download Submit
C:\Windows\System\lptmEJj.exe

Filesize
5.2MB

MD5
5b5ea24ce4b7f3a49aefd22da1def71e

SHA1
7d1b6dc0868cdbe587cbd609af1ca0ecd23aa26e

SHA256
ff8f4135ea6ce7309ecc80c16ed2b0a74d283e63cc5068c40448e1956b76d4e5

SHA512
e82d5b13b0d686759379e7a06dfeb81110ac28bf71df5c132b23fd34a5b5da3fe52c9f5ff965311980c18732d75d10ff18e0cafbba7430a412db1b01cc1196b3

Download Submit
C:\Windows\System\myMjFlw.exe

Filesize
5.2MB

MD5
9f85e2aa3da1bb916c512379f7bbea8d

SHA1
0006ce027449ad6157b6a7eab8ec61f3ff5390ec

SHA256
de245967af4aa9c0edbae6b0945fec6ebdb9f20ff558c0553f23c2054b667a57

SHA512
7ef767ab382902c233fbd4c0753ae8cac3af6a2d33f4def1e165fd37dbfc84c7a756c966bb33294ab840d4ab968642086cd1bad4dde59f9a2b254545c204423f

Download Submit
C:\Windows\System\tDYZmYw.exe

Filesize
5.2MB

MD5
5b3d6414eccb2934b9a1d84a0a44c053

SHA1
c50e650a00f1aa902b810a249a32320dab5d9b14

SHA256
9350bdc1136e4e96afa784e1bcb97cfab9e91511bda15d2a5af437feed25f38b

SHA512
99fa2d6ce4b09e256607d7721dc76c367b40f667d256bf428ba77e053e875c1a86042bdc34ecad25cbe025fb64d7532f53a4cfd25eab83b3315a6ddef560fb13

Download Submit
C:\Windows\System\taGzSGf.exe

Filesize
5.2MB

MD5
cc1da60986ee26c68df2585259fd5099

SHA1
75bf12f67300e2c201ecef5d0f9a3f9115473fcb

SHA256
32351b85e2ba48611000fc1695d2d5bdb2204bedbda81b799d697cec33a7a0a0

SHA512
670ef74d69a01695314002e64b41e5f7b282a9d113fbd8114b5d0eea5cf9c7dc8a6e9eddb1125cac531559478a08b998b1b646069137980eca457261023a174a

Download Submit
C:\Windows\System\xvzVDbq.exe

Filesize
5.2MB

MD5
f89781aee2e2a2e0a21b59d8506ffe3c

SHA1
ffbad85cc6fca519b79b55f679ec01d99254acd7

SHA256
ea35b221a64487b1e32c72ebc4a2058f7230646fe57f5b28c99ed2fba2465828

SHA512
f81170ec5abec9c739314ac00869bafcb905ba4a6cf7d7074f758380320c94aee85e681199408d84d94c9619fe89cd333665380a36cba03dede4bdcadd12817a

Download Submit
C:\Windows\System\yPwMBPN.exe

Filesize
5.2MB

MD5
fb78775375a12b6a02f7e97a11f77232

SHA1
22e14414d906ce9a8eca2a01d0cd8fe5a287265c

SHA256
079b5fe1ef5e47177a5f2cb5f74d01150a8d241620a4d906a751471f4374bf14

SHA512
50a95686f7a895ccdda7b560d86566e514a671df2f68f0524be50b8bcab54e3e499832047cd7a3d7f7cf9e3644ebee9325f1a6da2087c449c81e0a1c65bcced6

Download Submit
memory/228-50-0x00007FF7AC1A0000-0x00007FF7AC4F1000-memory.dmp

Filesize
3.3MB

Download
memory/228-207-0x00007FF7AC1A0000-0x00007FF7AC4F1000-memory.dmp

Filesize
3.3MB

Download
memory/228-128-0x00007FF7AC1A0000-0x00007FF7AC4F1000-memory.dmp

Filesize
3.3MB

Download
memory/796-132-0x00007FF7D48B0000-0x00007FF7D4C01000-memory.dmp

Filesize
3.3MB

Download
memory/796-217-0x00007FF7D48B0000-0x00007FF7D4C01000-memory.dmp

Filesize
3.3MB

Download
memory/912-211-0x00007FF6F2290000-0x00007FF6F25E1000-memory.dmp

Filesize
3.3MB

Download
memory/912-66-0x00007FF6F2290000-0x00007FF6F25E1000-memory.dmp

Filesize
3.3MB

Download
memory/1216-122-0x00007FF69ABF0000-0x00007FF69AF41000-memory.dmp

Filesize
3.3MB

Download
memory/1216-192-0x00007FF69ABF0000-0x00007FF69AF41000-memory.dmp

Filesize
3.3MB

Download
memory/1216-13-0x00007FF69ABF0000-0x00007FF69AF41000-memory.dmp

Filesize
3.3MB

Download
memory/1440-225-0x00007FF68C880000-0x00007FF68CBD1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-137-0x00007FF68C880000-0x00007FF68CBD1000-memory.dmp

Filesize
3.3MB

Download
memory/1568-216-0x00007FF613750000-0x00007FF613AA1000-memory.dmp

Filesize
3.3MB

Download
memory/1568-133-0x00007FF613750000-0x00007FF613AA1000-memory.dmp

Filesize
3.3MB

Download
memory/1724-25-0x00007FF607880000-0x00007FF607BD1000-memory.dmp

Filesize
3.3MB

Download
memory/1724-196-0x00007FF607880000-0x00007FF607BD1000-memory.dmp

Filesize
3.3MB

Download
memory/1724-124-0x00007FF607880000-0x00007FF607BD1000-memory.dmp

Filesize
3.3MB

Download
memory/1972-62-0x00007FF70D6D0000-0x00007FF70DA21000-memory.dmp

Filesize
3.3MB

Download
memory/1972-1-0x0000015CD2560000-0x0000015CD2570000-memory.dmp

Filesize
64KB

Download
memory/1972-0-0x00007FF70D6D0000-0x00007FF70DA21000-memory.dmp

Filesize
3.3MB

Download
memory/1972-142-0x00007FF70D6D0000-0x00007FF70DA21000-memory.dmp

Filesize
3.3MB

Download
memory/1972-120-0x00007FF70D6D0000-0x00007FF70DA21000-memory.dmp

Filesize
3.3MB

Download
memory/2496-232-0x00007FF7614E0000-0x00007FF761831000-memory.dmp

Filesize
3.3MB

Download
memory/2496-140-0x00007FF7614E0000-0x00007FF761831000-memory.dmp

Filesize
3.3MB

Download
memory/3092-205-0x00007FF6FC0F0000-0x00007FF6FC441000-memory.dmp

Filesize
3.3MB

Download
memory/3092-46-0x00007FF6FC0F0000-0x00007FF6FC441000-memory.dmp

Filesize
3.3MB

Download
memory/3100-138-0x00007FF6DC230000-0x00007FF6DC581000-memory.dmp

Filesize
3.3MB

Download
memory/3100-231-0x00007FF6DC230000-0x00007FF6DC581000-memory.dmp

Filesize
3.3MB

Download
memory/3188-229-0x00007FF67E9E0000-0x00007FF67ED31000-memory.dmp

Filesize
3.3MB

Download
memory/3188-141-0x00007FF67E9E0000-0x00007FF67ED31000-memory.dmp

Filesize
3.3MB

Download
memory/3304-40-0x00007FF629C30000-0x00007FF629F81000-memory.dmp

Filesize
3.3MB

Download
memory/3304-203-0x00007FF629C30000-0x00007FF629F81000-memory.dmp

Filesize
3.3MB

Download
memory/3576-194-0x00007FF7B9090000-0x00007FF7B93E1000-memory.dmp

Filesize
3.3MB

Download
memory/3576-20-0x00007FF7B9090000-0x00007FF7B93E1000-memory.dmp

Filesize
3.3MB

Download
memory/3864-134-0x00007FF6D8180000-0x00007FF6D84D1000-memory.dmp

Filesize
3.3MB

Download
memory/3864-221-0x00007FF6D8180000-0x00007FF6D84D1000-memory.dmp

Filesize
3.3MB

Download
memory/4016-8-0x00007FF71FEF0000-0x00007FF720241000-memory.dmp

Filesize
3.3MB

Download
memory/4016-190-0x00007FF71FEF0000-0x00007FF720241000-memory.dmp

Filesize
3.3MB

Download
memory/4016-67-0x00007FF71FEF0000-0x00007FF720241000-memory.dmp

Filesize
3.3MB

Download
memory/4348-139-0x00007FF714F50000-0x00007FF7152A1000-memory.dmp

Filesize
3.3MB

Download
memory/4348-233-0x00007FF714F50000-0x00007FF7152A1000-memory.dmp

Filesize
3.3MB

Download
memory/4452-220-0x00007FF648270000-0x00007FF6485C1000-memory.dmp

Filesize
3.3MB

Download
memory/4452-136-0x00007FF648270000-0x00007FF6485C1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-135-0x00007FF77C360000-0x00007FF77C6B1000-memory.dmp

Filesize
3.3MB

Download
memory/4520-223-0x00007FF77C360000-0x00007FF77C6B1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-68-0x00007FF636000000-0x00007FF636351000-memory.dmp

Filesize
3.3MB

Download
memory/4640-213-0x00007FF636000000-0x00007FF636351000-memory.dmp

Filesize
3.3MB

Download
memory/4640-131-0x00007FF636000000-0x00007FF636351000-memory.dmp

Filesize
3.3MB

Download
memory/4984-209-0x00007FF6BDDC0000-0x00007FF6BE111000-memory.dmp

Filesize
3.3MB

Download
memory/4984-61-0x00007FF6BDDC0000-0x00007FF6BE111000-memory.dmp

Filesize
3.3MB

Download
memory/5068-198-0x00007FF7CD4C0000-0x00007FF7CD811000-memory.dmp

Filesize
3.3MB

Download
memory/5068-125-0x00007FF7CD4C0000-0x00007FF7CD811000-memory.dmp

Filesize
3.3MB

Download
memory/5068-32-0x00007FF7CD4C0000-0x00007FF7CD811000-memory.dmp

Filesize
3.3MB

Download