cobaltstrike | 17a5b395d4c4074ed27e4eb021aa0727b600cc5ef63b490c109cfc2ada101923

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

cc219612674837b8e7c41018164b8802
SHA1

ad0901147e27fadef60e2128df8fea8eecc2428f
SHA256

17a5b395d4c4074ed27e4eb021aa0727b600cc5ef63b490c109cfc2ada101923
SHA512

882c97f9a17d742397f885d07c06bad635bba98462a13921eb5ef1907ce0dcdffec9855cec771539c74b95ca0cb2d50a7c8b20a0280e4675e41f5bff3df7e2a0
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUn:Q+856utgpPF8u/7n

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000022f51-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f2-8.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f3-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f4-26.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f5-30.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f6-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f7-40.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f9-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fa-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fd-70.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fc-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023400-93.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ff-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023403-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023405-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023404-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023402-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023401-115.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fe-79.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fb-69.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233ef-56.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022f51-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f2-8.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f3-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f4-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f5-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f6-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f7-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f9-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fa-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fd-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fc-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023400-93.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233ff-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023403-120.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023405-127.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023404-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023402-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023401-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fe-79.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fb-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00080000000233ef-56.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4740-0-0x00007FF7D48F0000-0x00007FF7D4C44000-memory.dmp	UPX
behavioral2/files/0x0008000000022f51-4.dat	UPX
behavioral2/files/0x00070000000233f2-8.dat	UPX
behavioral2/files/0x00070000000233f3-11.dat	UPX
behavioral2/memory/4700-24-0x00007FF762EE0000-0x00007FF763234000-memory.dmp	UPX
behavioral2/files/0x00070000000233f4-26.dat	UPX
behavioral2/files/0x00070000000233f5-30.dat	UPX
behavioral2/files/0x00070000000233f6-35.dat	UPX
behavioral2/memory/2596-32-0x00007FF6C7C20000-0x00007FF6C7F74000-memory.dmp	UPX
behavioral2/memory/5008-19-0x00007FF7F0320000-0x00007FF7F0674000-memory.dmp	UPX
behavioral2/files/0x00070000000233f7-40.dat	UPX
behavioral2/memory/1528-42-0x00007FF79CE70000-0x00007FF79D1C4000-memory.dmp	UPX
behavioral2/memory/2732-41-0x00007FF6534A0000-0x00007FF6537F4000-memory.dmp	UPX
behavioral2/memory/4492-14-0x00007FF7C7010000-0x00007FF7C7364000-memory.dmp	UPX
behavioral2/memory/228-9-0x00007FF641070000-0x00007FF6413C4000-memory.dmp	UPX
behavioral2/files/0x00070000000233f9-47.dat	UPX
behavioral2/memory/4704-50-0x00007FF70A6A0000-0x00007FF70A9F4000-memory.dmp	UPX
behavioral2/files/0x00070000000233fa-59.dat	UPX
behavioral2/files/0x00070000000233fd-70.dat	UPX
behavioral2/files/0x00070000000233fc-83.dat	UPX
behavioral2/memory/228-85-0x00007FF641070000-0x00007FF6413C4000-memory.dmp	UPX
behavioral2/memory/748-91-0x00007FF721260000-0x00007FF7215B4000-memory.dmp	UPX
behavioral2/files/0x0007000000023400-93.dat	UPX
behavioral2/files/0x00070000000233ff-101.dat	UPX
behavioral2/files/0x0007000000023403-120.dat	UPX
behavioral2/memory/4924-129-0x00007FF797780000-0x00007FF797AD4000-memory.dmp	UPX
behavioral2/memory/3140-131-0x00007FF7BA720000-0x00007FF7BAA74000-memory.dmp	UPX
behavioral2/memory/3656-130-0x00007FF6282D0000-0x00007FF628624000-memory.dmp	UPX
behavioral2/files/0x0007000000023405-127.dat	UPX
behavioral2/memory/5008-126-0x00007FF7F0320000-0x00007FF7F0674000-memory.dmp	UPX
behavioral2/memory/4492-125-0x00007FF7C7010000-0x00007FF7C7364000-memory.dmp	UPX
behavioral2/memory/1944-124-0x00007FF7BABC0000-0x00007FF7BAF14000-memory.dmp	UPX
behavioral2/files/0x0007000000023404-122.dat	UPX
behavioral2/memory/4920-119-0x00007FF60FB30000-0x00007FF60FE84000-memory.dmp	UPX
behavioral2/files/0x0007000000023402-117.dat	UPX
behavioral2/files/0x0007000000023401-115.dat	UPX
behavioral2/memory/3272-113-0x00007FF622D20000-0x00007FF623074000-memory.dmp	UPX
behavioral2/memory/3480-106-0x00007FF7DC260000-0x00007FF7DC5B4000-memory.dmp	UPX
behavioral2/memory/4600-92-0x00007FF6FFCC0000-0x00007FF700014000-memory.dmp	UPX
behavioral2/memory/4132-89-0x00007FF73C3F0000-0x00007FF73C744000-memory.dmp	UPX
behavioral2/memory/4740-80-0x00007FF7D48F0000-0x00007FF7D4C44000-memory.dmp	UPX
behavioral2/files/0x00070000000233fe-79.dat	UPX
behavioral2/memory/3680-74-0x00007FF679620000-0x00007FF679974000-memory.dmp	UPX
behavioral2/files/0x00070000000233fb-69.dat	UPX
behavioral2/memory/2552-68-0x00007FF77A090000-0x00007FF77A3E4000-memory.dmp	UPX
behavioral2/memory/4504-58-0x00007FF6251C0000-0x00007FF625514000-memory.dmp	UPX
behavioral2/files/0x00080000000233ef-56.dat	UPX
behavioral2/memory/4700-132-0x00007FF762EE0000-0x00007FF763234000-memory.dmp	UPX
behavioral2/memory/1528-133-0x00007FF79CE70000-0x00007FF79D1C4000-memory.dmp	UPX
behavioral2/memory/4704-134-0x00007FF70A6A0000-0x00007FF70A9F4000-memory.dmp	UPX
behavioral2/memory/4504-135-0x00007FF6251C0000-0x00007FF625514000-memory.dmp	UPX
behavioral2/memory/2552-136-0x00007FF77A090000-0x00007FF77A3E4000-memory.dmp	UPX
behavioral2/memory/4132-137-0x00007FF73C3F0000-0x00007FF73C744000-memory.dmp	UPX
behavioral2/memory/3480-138-0x00007FF7DC260000-0x00007FF7DC5B4000-memory.dmp	UPX
behavioral2/memory/4920-139-0x00007FF60FB30000-0x00007FF60FE84000-memory.dmp	UPX
behavioral2/memory/3272-140-0x00007FF622D20000-0x00007FF623074000-memory.dmp	UPX
behavioral2/memory/228-141-0x00007FF641070000-0x00007FF6413C4000-memory.dmp	UPX
behavioral2/memory/4492-142-0x00007FF7C7010000-0x00007FF7C7364000-memory.dmp	UPX
behavioral2/memory/5008-143-0x00007FF7F0320000-0x00007FF7F0674000-memory.dmp	UPX
behavioral2/memory/4700-144-0x00007FF762EE0000-0x00007FF763234000-memory.dmp	UPX
behavioral2/memory/2596-145-0x00007FF6C7C20000-0x00007FF6C7F74000-memory.dmp	UPX
behavioral2/memory/2732-146-0x00007FF6534A0000-0x00007FF6537F4000-memory.dmp	UPX
behavioral2/memory/1528-147-0x00007FF79CE70000-0x00007FF79D1C4000-memory.dmp	UPX
behavioral2/memory/4704-148-0x00007FF70A6A0000-0x00007FF70A9F4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4740-0-0x00007FF7D48F0000-0x00007FF7D4C44000-memory.dmp	xmrig
behavioral2/files/0x0008000000022f51-4.dat	xmrig
behavioral2/files/0x00070000000233f2-8.dat	xmrig
behavioral2/files/0x00070000000233f3-11.dat	xmrig
behavioral2/memory/4700-24-0x00007FF762EE0000-0x00007FF763234000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f4-26.dat	xmrig
behavioral2/files/0x00070000000233f5-30.dat	xmrig
behavioral2/files/0x00070000000233f6-35.dat	xmrig
behavioral2/memory/2596-32-0x00007FF6C7C20000-0x00007FF6C7F74000-memory.dmp	xmrig
behavioral2/memory/5008-19-0x00007FF7F0320000-0x00007FF7F0674000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f7-40.dat	xmrig
behavioral2/memory/1528-42-0x00007FF79CE70000-0x00007FF79D1C4000-memory.dmp	xmrig
behavioral2/memory/2732-41-0x00007FF6534A0000-0x00007FF6537F4000-memory.dmp	xmrig
behavioral2/memory/4492-14-0x00007FF7C7010000-0x00007FF7C7364000-memory.dmp	xmrig
behavioral2/memory/228-9-0x00007FF641070000-0x00007FF6413C4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f9-47.dat	xmrig
behavioral2/memory/4704-50-0x00007FF70A6A0000-0x00007FF70A9F4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fa-59.dat	xmrig
behavioral2/files/0x00070000000233fd-70.dat	xmrig
behavioral2/files/0x00070000000233fc-83.dat	xmrig
behavioral2/memory/228-85-0x00007FF641070000-0x00007FF6413C4000-memory.dmp	xmrig
behavioral2/memory/748-91-0x00007FF721260000-0x00007FF7215B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023400-93.dat	xmrig
behavioral2/files/0x00070000000233ff-101.dat	xmrig
behavioral2/files/0x0007000000023403-120.dat	xmrig
behavioral2/memory/4924-129-0x00007FF797780000-0x00007FF797AD4000-memory.dmp	xmrig
behavioral2/memory/3140-131-0x00007FF7BA720000-0x00007FF7BAA74000-memory.dmp	xmrig
behavioral2/memory/3656-130-0x00007FF6282D0000-0x00007FF628624000-memory.dmp	xmrig
behavioral2/files/0x0007000000023405-127.dat	xmrig
behavioral2/memory/5008-126-0x00007FF7F0320000-0x00007FF7F0674000-memory.dmp	xmrig
behavioral2/memory/4492-125-0x00007FF7C7010000-0x00007FF7C7364000-memory.dmp	xmrig
behavioral2/memory/1944-124-0x00007FF7BABC0000-0x00007FF7BAF14000-memory.dmp	xmrig
behavioral2/files/0x0007000000023404-122.dat	xmrig
behavioral2/memory/4920-119-0x00007FF60FB30000-0x00007FF60FE84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023402-117.dat	xmrig
behavioral2/files/0x0007000000023401-115.dat	xmrig
behavioral2/memory/3272-113-0x00007FF622D20000-0x00007FF623074000-memory.dmp	xmrig
behavioral2/memory/3480-106-0x00007FF7DC260000-0x00007FF7DC5B4000-memory.dmp	xmrig
behavioral2/memory/4600-92-0x00007FF6FFCC0000-0x00007FF700014000-memory.dmp	xmrig
behavioral2/memory/4132-89-0x00007FF73C3F0000-0x00007FF73C744000-memory.dmp	xmrig
behavioral2/memory/4740-80-0x00007FF7D48F0000-0x00007FF7D4C44000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fe-79.dat	xmrig
behavioral2/memory/3680-74-0x00007FF679620000-0x00007FF679974000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fb-69.dat	xmrig
behavioral2/memory/2552-68-0x00007FF77A090000-0x00007FF77A3E4000-memory.dmp	xmrig
behavioral2/memory/4504-58-0x00007FF6251C0000-0x00007FF625514000-memory.dmp	xmrig
behavioral2/files/0x00080000000233ef-56.dat	xmrig
behavioral2/memory/4700-132-0x00007FF762EE0000-0x00007FF763234000-memory.dmp	xmrig
behavioral2/memory/1528-133-0x00007FF79CE70000-0x00007FF79D1C4000-memory.dmp	xmrig
behavioral2/memory/4704-134-0x00007FF70A6A0000-0x00007FF70A9F4000-memory.dmp	xmrig
behavioral2/memory/4504-135-0x00007FF6251C0000-0x00007FF625514000-memory.dmp	xmrig
behavioral2/memory/2552-136-0x00007FF77A090000-0x00007FF77A3E4000-memory.dmp	xmrig
behavioral2/memory/4132-137-0x00007FF73C3F0000-0x00007FF73C744000-memory.dmp	xmrig
behavioral2/memory/3480-138-0x00007FF7DC260000-0x00007FF7DC5B4000-memory.dmp	xmrig
behavioral2/memory/4920-139-0x00007FF60FB30000-0x00007FF60FE84000-memory.dmp	xmrig
behavioral2/memory/3272-140-0x00007FF622D20000-0x00007FF623074000-memory.dmp	xmrig
behavioral2/memory/228-141-0x00007FF641070000-0x00007FF6413C4000-memory.dmp	xmrig
behavioral2/memory/4492-142-0x00007FF7C7010000-0x00007FF7C7364000-memory.dmp	xmrig
behavioral2/memory/5008-143-0x00007FF7F0320000-0x00007FF7F0674000-memory.dmp	xmrig
behavioral2/memory/4700-144-0x00007FF762EE0000-0x00007FF763234000-memory.dmp	xmrig
behavioral2/memory/2596-145-0x00007FF6C7C20000-0x00007FF6C7F74000-memory.dmp	xmrig
behavioral2/memory/2732-146-0x00007FF6534A0000-0x00007FF6537F4000-memory.dmp	xmrig
behavioral2/memory/1528-147-0x00007FF79CE70000-0x00007FF79D1C4000-memory.dmp	xmrig
behavioral2/memory/4704-148-0x00007FF70A6A0000-0x00007FF70A9F4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
228	oJhsFTh.exe
4492	bMqmbRD.exe
5008	lSLbcvQ.exe
4700	pjbaUKx.exe
2596	jHxHadB.exe
2732	AEZIicL.exe
1528	lsWZRYN.exe
4704	VznkUIu.exe
4504	lqdmEbD.exe
2552	wVeYsKa.exe
3680	enaoQVU.exe
4132	FLsFmyO.exe
748	WBRoveT.exe
4600	DRZdRGm.exe
3480	bEMesYN.exe
1944	MtMdTLR.exe
4924	wpvxNOT.exe
3272	yvQuNaL.exe
3656	KqJxQKS.exe
4920	PiaNsKs.exe
3140	xkhuCul.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4740-0-0x00007FF7D48F0000-0x00007FF7D4C44000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-4.dat	upx
behavioral2/files/0x00070000000233f2-8.dat	upx
behavioral2/files/0x00070000000233f3-11.dat	upx
behavioral2/memory/4700-24-0x00007FF762EE0000-0x00007FF763234000-memory.dmp	upx
behavioral2/files/0x00070000000233f4-26.dat	upx
behavioral2/files/0x00070000000233f5-30.dat	upx
behavioral2/files/0x00070000000233f6-35.dat	upx
behavioral2/memory/2596-32-0x00007FF6C7C20000-0x00007FF6C7F74000-memory.dmp	upx
behavioral2/memory/5008-19-0x00007FF7F0320000-0x00007FF7F0674000-memory.dmp	upx
behavioral2/files/0x00070000000233f7-40.dat	upx
behavioral2/memory/1528-42-0x00007FF79CE70000-0x00007FF79D1C4000-memory.dmp	upx
behavioral2/memory/2732-41-0x00007FF6534A0000-0x00007FF6537F4000-memory.dmp	upx
behavioral2/memory/4492-14-0x00007FF7C7010000-0x00007FF7C7364000-memory.dmp	upx
behavioral2/memory/228-9-0x00007FF641070000-0x00007FF6413C4000-memory.dmp	upx
behavioral2/files/0x00070000000233f9-47.dat	upx
behavioral2/memory/4704-50-0x00007FF70A6A0000-0x00007FF70A9F4000-memory.dmp	upx
behavioral2/files/0x00070000000233fa-59.dat	upx
behavioral2/files/0x00070000000233fd-70.dat	upx
behavioral2/files/0x00070000000233fc-83.dat	upx
behavioral2/memory/228-85-0x00007FF641070000-0x00007FF6413C4000-memory.dmp	upx
behavioral2/memory/748-91-0x00007FF721260000-0x00007FF7215B4000-memory.dmp	upx
behavioral2/files/0x0007000000023400-93.dat	upx
behavioral2/files/0x00070000000233ff-101.dat	upx
behavioral2/files/0x0007000000023403-120.dat	upx
behavioral2/memory/4924-129-0x00007FF797780000-0x00007FF797AD4000-memory.dmp	upx
behavioral2/memory/3140-131-0x00007FF7BA720000-0x00007FF7BAA74000-memory.dmp	upx
behavioral2/memory/3656-130-0x00007FF6282D0000-0x00007FF628624000-memory.dmp	upx
behavioral2/files/0x0007000000023405-127.dat	upx
behavioral2/memory/5008-126-0x00007FF7F0320000-0x00007FF7F0674000-memory.dmp	upx
behavioral2/memory/4492-125-0x00007FF7C7010000-0x00007FF7C7364000-memory.dmp	upx
behavioral2/memory/1944-124-0x00007FF7BABC0000-0x00007FF7BAF14000-memory.dmp	upx
behavioral2/files/0x0007000000023404-122.dat	upx
behavioral2/memory/4920-119-0x00007FF60FB30000-0x00007FF60FE84000-memory.dmp	upx
behavioral2/files/0x0007000000023402-117.dat	upx
behavioral2/files/0x0007000000023401-115.dat	upx
behavioral2/memory/3272-113-0x00007FF622D20000-0x00007FF623074000-memory.dmp	upx
behavioral2/memory/3480-106-0x00007FF7DC260000-0x00007FF7DC5B4000-memory.dmp	upx
behavioral2/memory/4600-92-0x00007FF6FFCC0000-0x00007FF700014000-memory.dmp	upx
behavioral2/memory/4132-89-0x00007FF73C3F0000-0x00007FF73C744000-memory.dmp	upx
behavioral2/memory/4740-80-0x00007FF7D48F0000-0x00007FF7D4C44000-memory.dmp	upx
behavioral2/files/0x00070000000233fe-79.dat	upx
behavioral2/memory/3680-74-0x00007FF679620000-0x00007FF679974000-memory.dmp	upx
behavioral2/files/0x00070000000233fb-69.dat	upx
behavioral2/memory/2552-68-0x00007FF77A090000-0x00007FF77A3E4000-memory.dmp	upx
behavioral2/memory/4504-58-0x00007FF6251C0000-0x00007FF625514000-memory.dmp	upx
behavioral2/files/0x00080000000233ef-56.dat	upx
behavioral2/memory/4700-132-0x00007FF762EE0000-0x00007FF763234000-memory.dmp	upx
behavioral2/memory/1528-133-0x00007FF79CE70000-0x00007FF79D1C4000-memory.dmp	upx
behavioral2/memory/4704-134-0x00007FF70A6A0000-0x00007FF70A9F4000-memory.dmp	upx
behavioral2/memory/4504-135-0x00007FF6251C0000-0x00007FF625514000-memory.dmp	upx
behavioral2/memory/2552-136-0x00007FF77A090000-0x00007FF77A3E4000-memory.dmp	upx
behavioral2/memory/4132-137-0x00007FF73C3F0000-0x00007FF73C744000-memory.dmp	upx
behavioral2/memory/3480-138-0x00007FF7DC260000-0x00007FF7DC5B4000-memory.dmp	upx
behavioral2/memory/4920-139-0x00007FF60FB30000-0x00007FF60FE84000-memory.dmp	upx
behavioral2/memory/3272-140-0x00007FF622D20000-0x00007FF623074000-memory.dmp	upx
behavioral2/memory/228-141-0x00007FF641070000-0x00007FF6413C4000-memory.dmp	upx
behavioral2/memory/4492-142-0x00007FF7C7010000-0x00007FF7C7364000-memory.dmp	upx
behavioral2/memory/5008-143-0x00007FF7F0320000-0x00007FF7F0674000-memory.dmp	upx
behavioral2/memory/4700-144-0x00007FF762EE0000-0x00007FF763234000-memory.dmp	upx
behavioral2/memory/2596-145-0x00007FF6C7C20000-0x00007FF6C7F74000-memory.dmp	upx
behavioral2/memory/2732-146-0x00007FF6534A0000-0x00007FF6537F4000-memory.dmp	upx
behavioral2/memory/1528-147-0x00007FF79CE70000-0x00007FF79D1C4000-memory.dmp	upx
behavioral2/memory/4704-148-0x00007FF70A6A0000-0x00007FF70A9F4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\oJhsFTh.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\enaoQVU.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MtMdTLR.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PiaNsKs.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wpvxNOT.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KqJxQKS.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bMqmbRD.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wVeYsKa.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FLsFmyO.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DRZdRGm.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bEMesYN.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xkhuCul.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pjbaUKx.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jHxHadB.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lsWZRYN.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WBRoveT.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yvQuNaL.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lSLbcvQ.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AEZIicL.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VznkUIu.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lqdmEbD.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 228	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	84
PID 4740 wrote to memory of 228	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	84
PID 4740 wrote to memory of 4492	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	85
PID 4740 wrote to memory of 4492	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	85
PID 4740 wrote to memory of 5008	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	86
PID 4740 wrote to memory of 5008	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	86
PID 4740 wrote to memory of 4700	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	87
PID 4740 wrote to memory of 4700	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	87
PID 4740 wrote to memory of 2596	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	88
PID 4740 wrote to memory of 2596	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	88
PID 4740 wrote to memory of 2732	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	89
PID 4740 wrote to memory of 2732	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	89
PID 4740 wrote to memory of 1528	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	90
PID 4740 wrote to memory of 1528	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	90
PID 4740 wrote to memory of 4704	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	91
PID 4740 wrote to memory of 4704	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	91
PID 4740 wrote to memory of 4504	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	94
PID 4740 wrote to memory of 4504	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	94
PID 4740 wrote to memory of 2552	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	95
PID 4740 wrote to memory of 2552	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	95
PID 4740 wrote to memory of 3680	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	96
PID 4740 wrote to memory of 3680	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	96
PID 4740 wrote to memory of 4132	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	97
PID 4740 wrote to memory of 4132	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	97
PID 4740 wrote to memory of 748	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	98
PID 4740 wrote to memory of 748	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	98
PID 4740 wrote to memory of 4600	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	99
PID 4740 wrote to memory of 4600	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	99
PID 4740 wrote to memory of 3480	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	100
PID 4740 wrote to memory of 3480	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	100
PID 4740 wrote to memory of 1944	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	101
PID 4740 wrote to memory of 1944	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	101
PID 4740 wrote to memory of 4924	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	102
PID 4740 wrote to memory of 4924	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	102
PID 4740 wrote to memory of 3272	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	103
PID 4740 wrote to memory of 3272	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	103
PID 4740 wrote to memory of 3656	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	104
PID 4740 wrote to memory of 3656	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	104
PID 4740 wrote to memory of 4920	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	105
PID 4740 wrote to memory of 4920	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	105
PID 4740 wrote to memory of 3140	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	106
PID 4740 wrote to memory of 3140	4740	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\System\oJhsFTh.exe
  C:\Windows\System\oJhsFTh.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\bMqmbRD.exe
  C:\Windows\System\bMqmbRD.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\lSLbcvQ.exe
  C:\Windows\System\lSLbcvQ.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\pjbaUKx.exe
  C:\Windows\System\pjbaUKx.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System\jHxHadB.exe
  C:\Windows\System\jHxHadB.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\AEZIicL.exe
  C:\Windows\System\AEZIicL.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\lsWZRYN.exe
  C:\Windows\System\lsWZRYN.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System\VznkUIu.exe
  C:\Windows\System\VznkUIu.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\lqdmEbD.exe
  C:\Windows\System\lqdmEbD.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\wVeYsKa.exe
  C:\Windows\System\wVeYsKa.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\enaoQVU.exe
  C:\Windows\System\enaoQVU.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\FLsFmyO.exe
  C:\Windows\System\FLsFmyO.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System\WBRoveT.exe
  C:\Windows\System\WBRoveT.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System\DRZdRGm.exe
  C:\Windows\System\DRZdRGm.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\bEMesYN.exe
  C:\Windows\System\bEMesYN.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System\MtMdTLR.exe
  C:\Windows\System\MtMdTLR.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\wpvxNOT.exe
  C:\Windows\System\wpvxNOT.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\yvQuNaL.exe
  C:\Windows\System\yvQuNaL.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\KqJxQKS.exe
  C:\Windows\System\KqJxQKS.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System\PiaNsKs.exe
  C:\Windows\System\PiaNsKs.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\xkhuCul.exe
  C:\Windows\System\xkhuCul.exe
  2⤵
  - Executes dropped EXE
  PID:3140

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AEZIicL.exe

Filesize
5.9MB

MD5
86be3ec6b976ebd46dde95931272d204

SHA1
a4d09225ed59f6ee29c10d81793f5b04642a5f2f

SHA256
ea1e4b867086fd801c3d78f8de5d4658b40aa8cc033e84987be834f00e68c236

SHA512
441de68bc8244dd19c6e0463843da91c2ed2d9568f67806c9e4440a54798a771e8b229eeeec63e1604a58f131f29f0d28e0ae97bbc21feafd774d1bf8e2afa04

Download Submit
C:\Windows\System\DRZdRGm.exe

Filesize
5.9MB

MD5
fcf9df38051f9f8af99a6ef65ff727bf

SHA1
fd85283df171e8bc57a95ae5a57ca26a8775c65f

SHA256
29e10845b497f04d26b96d087a6bd8885ca3b5aefe5d12348c0524e2f90fb42c

SHA512
345eec64104ef337018123c6cbc79561a958d114d589067ac4e558a64b635a27f7ca46a07880396805251666f2141515b688c80c49975c39da5dbf050b9da9f8

Download Submit
C:\Windows\System\FLsFmyO.exe

Filesize
5.9MB

MD5
3f3f85af377054fb953f8e07b82f3d3a

SHA1
829bc1ad065db0549b62a8659aeae58cb8915bca

SHA256
a31aed6e59a14b6d7556784b4b5479f509291ba3b9ffe61048de8e305901630f

SHA512
a7a537e0827b8f7a756b51087114d5a65ae56017a72bd8af589390d679fb67d9ea60c6017fe9d7333bb5d0956a100473281f53001b16f5a79fa1fb73a96243e3

Download Submit
C:\Windows\System\KqJxQKS.exe

Filesize
5.9MB

MD5
f434349ed734ec59911ab6ee2689fd88

SHA1
ad3ef24c2b57887f4f9f3716995d27ccb83e0498

SHA256
7ad42dfe26efe4aae0b0279df38273a153d4b856c740a97d15afba21925a87dc

SHA512
c0dee72dbeec988f272deb3942e60eabc0337f1d49286bb639424ec101e05f166327b999f44257eab1f645d463222151a32c2b98ae8d03851d41b721026b4955

Download Submit
C:\Windows\System\MtMdTLR.exe

Filesize
5.9MB

MD5
e822a19e9caa1986def9aa8d95ba1721

SHA1
71e093c60388fb2ecb12d2e30bcaad67d578fba4

SHA256
b477f2a66f5232fd48cfe859c552f13189eef3bccfc218a9b0e5890aaf5eb0fd

SHA512
e5a5712a770ec51d48014f3b2f3fde1d307154bdd34731c2513a4ccaf3c6491042a55c9b6399bbd9630708e6746e735045b4be0e709316000ea886ccf4cd61a6

Download Submit
C:\Windows\System\PiaNsKs.exe

Filesize
5.9MB

MD5
2579fb063c5cf92b15e6ab64bd46bab7

SHA1
2a7ab2dee4b98f8fb23746619da4428105b9b690

SHA256
3a42e245709f3bdf76f1d65ad4a3336af53c3ed8c830b906d950e514e02a8f16

SHA512
c282a266d19dd9c8f137610a43a9df5d279a432699226e5500ec062def8b61dc28f8c0c36a6f40e35c4fcc927a3ca338ca8009905dad31be114fa9f0a534f03f

Download Submit
C:\Windows\System\VznkUIu.exe

Filesize
5.9MB

MD5
d1220705a62d03eddb5dc93103826db3

SHA1
2d791e021f2c6df28c73b613eeb5ee5ac38a5598

SHA256
b2d92b4f4741fae2061c46718f4a7727fde96f4a1d491c5d79b52aa189234263

SHA512
fadd8a0bb5e45cb08ce5f8f8c0f1c8efb78b46af17a94a5df08af6c1284e7cb121da7cd43902d7d388bd87cde7e463b8b67491cfb91177465237bea95b9c7ca1

Download Submit
C:\Windows\System\WBRoveT.exe

Filesize
5.9MB

MD5
de2ba8cb51294f6e92e3fe60170e7e3a

SHA1
db51a9f2c60c214cb77117cb1c7d9e935837648b

SHA256
db16c16ddc5e18f103e7ec623f67b9015630e056936e35c1b77a9790af7c339b

SHA512
7e75088ddb7b68ade8ba2b66981897bc97fcc30afcf8c334ba2daffcd431819cdeb53cd3d7a97df9d556d4e8799fc1d101c805e12adcbd64141d9cf34dd4fec4

Download Submit
C:\Windows\System\bEMesYN.exe

Filesize
5.9MB

MD5
08c262c5aaef0ecc2489775b33bfc691

SHA1
b1bc7ced9ccc6e83a5730a15a0159bdad8676492

SHA256
09693eec3937860164ac7701ad5a8b5b7d90b5bebb0ae36684bd94c48d945d01

SHA512
4559f5368c9a8d9ffe5d334e75ed140aa41e2ed2c2b518461cf73c2e1229d499e7a395eec8a7c018fbae01d3eefcbc0ab5ea63ce820ccdd9da38a1c6469e22b8

Download Submit
C:\Windows\System\bMqmbRD.exe

Filesize
5.9MB

MD5
5629f922e23667e098109bf16a632654

SHA1
1aaf729e786c333e7162e93e50812fde8813b414

SHA256
5cfff3b415978e96fef287631a5998c92ad6f0be6447444ecc264b4ec4ffe99f

SHA512
09eab172552a264e73e69835b191d459556c972d42e91662abc7871b1bda3614bde6926b5cf4bf7f7e98877e34d521c006244ebcc74c01426268f4f7318889f2

Download Submit
C:\Windows\System\enaoQVU.exe

Filesize
5.9MB

MD5
3a842076766d4cc3575e627d19518eb2

SHA1
a5f7e7b5d1a43ef3db91eb7d2071c2528747477e

SHA256
a015e8ad3fe19b1371958b21379e90f1b059b5f0432f2c42ca7e2c641a4408ac

SHA512
7f44b65115342f45f342f4f48360ff8ec02a35049f2f703f15ee5144d4fa9b1061bbef0f45c74cb2dab9f44ba416579029c6082b4b6fc83bf7bbd28c04c0de70

Download Submit
C:\Windows\System\jHxHadB.exe

Filesize
5.9MB

MD5
0bda056c0f72d349a87a68267ada6111

SHA1
71403865d23de3134edd94a5854bdf275ec26ec3

SHA256
e0862730f57bb39c34443466d0eed172f106a2b4c8356f077e37b4670907774c

SHA512
47247a13bbcde9a77cfbcfd9de1cfe1ae77919350c9ac6db4adbce9294c0eccabc640aa1af7d5dee5cdfe82e8ee32f1a76ead84c141bd8c82aea88739720bb5e

Download Submit
C:\Windows\System\lSLbcvQ.exe

Filesize
5.9MB

MD5
13cc4e1ccdacfa061aa4e4f546b9b884

SHA1
52916eb27d16a4d72b99e733c407d733479c6de9

SHA256
b9f281969524a4f15321223440cc1ce459b1ab2ff1d0a5f2f9be1c0c22c9efda

SHA512
2dbc3d52640aef770722af0853685cf44cc95e6a067c142015d90616e8b28ef36c9dd5fc20812dda43f266bcc1292746663f3bc1686eafa6000b23d61ca4c55c

Download Submit
C:\Windows\System\lqdmEbD.exe

Filesize
5.9MB

MD5
ad7f475c152ade12fde73fcccd6d8bea

SHA1
a448976dc8ef6dd75801df9dcebae931607cda46

SHA256
86c7f99f1aedaf6feec5df5ec3737e6605f186ea33e317dee38e09d42e7e6711

SHA512
d695725a0790908af38c1073386884a177f7b92feaded25d51ed62cc751b825fc8b6c96762f88514c61b032b61562451976f84fcdb52fa053f4e3a37e1c5fb4c

Download Submit
C:\Windows\System\lsWZRYN.exe

Filesize
5.9MB

MD5
25a7e4e112ff8e1c8af4a768577507b3

SHA1
0958af4669f5d2208c166a84e3baa438a47ba11b

SHA256
bcfb0db2c2067bcfa7574e44b0262019aa003333f434ecbbdb3b98e8fa003798

SHA512
61eb4d09288bd38813258bdf6eb0c5ee5d70c2952d2978adcf5c9f280f65c7f9fad1e09807e68472a1c0a10e8df893589c7b97ca412e657898653281614d4336

Download Submit
C:\Windows\System\oJhsFTh.exe

Filesize
5.9MB

MD5
5a41f04f40bee0ec82ee9c6c78e2c897

SHA1
2263982762c2c16993b85b28a9afabe825fc0ead

SHA256
cf24eb2c1e793b092e4c1328861e58d77ebcad369f71e03df0df573ca703858b

SHA512
91ba94d36d26b044f4bb8a8b1dd3583ce3a7a097f09a506e92143bd52e4a89638f18b2f50c41c8493533034c5ec884bd402f47d44e1e1a1930de4832b5fc3ced

Download Submit
C:\Windows\System\pjbaUKx.exe

Filesize
5.9MB

MD5
71c16597b18b06517d1f5a5a5832066c

SHA1
451d2292c5a9f76f4f7cb8e77d9354ff6c00a853

SHA256
64a934e6a59735ee6c5addb5e4a861c3ea08db9afaef2462ab6a220a95c1f446

SHA512
c3491d295ecbd1e71fd0a683e1e852cf5e0db0db2aabf253a1c29484786e9493eda86a5632dd57d7df40f40fed6c0b4df9c4c01cfc1aa7d075be0252fdad233e

Download Submit
C:\Windows\System\wVeYsKa.exe

Filesize
5.9MB

MD5
1d8d2ca05ca7c5cfd9a83a6c5a851617

SHA1
76a3851e3acfc27706a4ad4fcba0f95a47ca2f89

SHA256
6859ab0119965b08c06a31213e0d86b05f2f7f90fae89911119a1367f43e3481

SHA512
147bd22c22efa3961429ba046e88714415d357c9d0892db28835bbfecc9d855bff76665dc69981074996f923395d898be6c934ebc7b00c1fd6d5f9f6c1d66650

Download Submit
C:\Windows\System\wpvxNOT.exe

Filesize
5.9MB

MD5
f67fe05a42deae81f7b155769a02baf8

SHA1
fbcd0bd22caab910ef340dd098fec9631710f51b

SHA256
9f1c25c485e95553f4dae69b523a06c16784d43d3c86bd5262bb2d19ff2e9d9b

SHA512
abd0b1c5cdad0e1b288e649ed1606da23c46b564a13f95a8493872b62b5dae28ffca004f33fd0b7805d58de7db91a5ffcbc3e2b2dbc9d7b9bec59f025b25cce4

Download Submit
C:\Windows\System\xkhuCul.exe

Filesize
5.9MB

MD5
06987a68984db16240dc694b190d29fa

SHA1
219b15e3123586f6232438888c03673cf363964b

SHA256
39d78e025750579e9a6627934950508daa3770724730facef506a4576170bc41

SHA512
51c4a0e24763ed65aee61aca2fffa5ab392cffd490f6da9affdb9dadcec36d9a183e0db12a2660fd24e40c3b2aa627dcd4913e0fcaed0cadf0c72c182376dac3

Download Submit
C:\Windows\System\yvQuNaL.exe

Filesize
5.9MB

MD5
6266a7c885dece19f09f092c500f7ed1

SHA1
9db36484887e927c4d396409fcca598bfa36807d

SHA256
ee7fe626a5332ecb5868e5a041a4a44e414aec7506b8fd657416ca8a8416b776

SHA512
103377c4bbe1021a7d332f1ee8b5b09159f9bccb8fbbdf3afbeee383d3b29283069ea452bcd03b01229dd4cc63d8d8e106e2e94298df9a4d62d31c2aed6944cc

Download Submit
memory/228-141-0x00007FF641070000-0x00007FF6413C4000-memory.dmp

Filesize
3.3MB

Download
memory/228-85-0x00007FF641070000-0x00007FF6413C4000-memory.dmp

Filesize
3.3MB

Download
memory/228-9-0x00007FF641070000-0x00007FF6413C4000-memory.dmp

Filesize
3.3MB

Download
memory/748-91-0x00007FF721260000-0x00007FF7215B4000-memory.dmp

Filesize
3.3MB

Download
memory/748-154-0x00007FF721260000-0x00007FF7215B4000-memory.dmp

Filesize
3.3MB

Download
memory/1528-147-0x00007FF79CE70000-0x00007FF79D1C4000-memory.dmp

Filesize
3.3MB

Download
memory/1528-133-0x00007FF79CE70000-0x00007FF79D1C4000-memory.dmp

Filesize
3.3MB

Download
memory/1528-42-0x00007FF79CE70000-0x00007FF79D1C4000-memory.dmp

Filesize
3.3MB

Download
memory/1944-124-0x00007FF7BABC0000-0x00007FF7BAF14000-memory.dmp

Filesize
3.3MB

Download
memory/1944-157-0x00007FF7BABC0000-0x00007FF7BAF14000-memory.dmp

Filesize
3.3MB

Download
memory/2552-136-0x00007FF77A090000-0x00007FF77A3E4000-memory.dmp

Filesize
3.3MB

Download
memory/2552-151-0x00007FF77A090000-0x00007FF77A3E4000-memory.dmp

Filesize
3.3MB

Download
memory/2552-68-0x00007FF77A090000-0x00007FF77A3E4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-32-0x00007FF6C7C20000-0x00007FF6C7F74000-memory.dmp

Filesize
3.3MB

Download
memory/2596-145-0x00007FF6C7C20000-0x00007FF6C7F74000-memory.dmp

Filesize
3.3MB

Download
memory/2732-146-0x00007FF6534A0000-0x00007FF6537F4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-41-0x00007FF6534A0000-0x00007FF6537F4000-memory.dmp

Filesize
3.3MB

Download
memory/3140-131-0x00007FF7BA720000-0x00007FF7BAA74000-memory.dmp

Filesize
3.3MB

Download
memory/3140-161-0x00007FF7BA720000-0x00007FF7BAA74000-memory.dmp

Filesize
3.3MB

Download
memory/3272-140-0x00007FF622D20000-0x00007FF623074000-memory.dmp

Filesize
3.3MB

Download
memory/3272-159-0x00007FF622D20000-0x00007FF623074000-memory.dmp

Filesize
3.3MB

Download
memory/3272-113-0x00007FF622D20000-0x00007FF623074000-memory.dmp

Filesize
3.3MB

Download
memory/3480-138-0x00007FF7DC260000-0x00007FF7DC5B4000-memory.dmp

Filesize
3.3MB

Download
memory/3480-155-0x00007FF7DC260000-0x00007FF7DC5B4000-memory.dmp

Filesize
3.3MB

Download
memory/3480-106-0x00007FF7DC260000-0x00007FF7DC5B4000-memory.dmp

Filesize
3.3MB

Download
memory/3656-130-0x00007FF6282D0000-0x00007FF628624000-memory.dmp

Filesize
3.3MB

Download
memory/3656-156-0x00007FF6282D0000-0x00007FF628624000-memory.dmp

Filesize
3.3MB

Download
memory/3680-150-0x00007FF679620000-0x00007FF679974000-memory.dmp

Filesize
3.3MB

Download
memory/3680-74-0x00007FF679620000-0x00007FF679974000-memory.dmp

Filesize
3.3MB

Download
memory/4132-152-0x00007FF73C3F0000-0x00007FF73C744000-memory.dmp

Filesize
3.3MB

Download
memory/4132-137-0x00007FF73C3F0000-0x00007FF73C744000-memory.dmp

Filesize
3.3MB

Download
memory/4132-89-0x00007FF73C3F0000-0x00007FF73C744000-memory.dmp

Filesize
3.3MB

Download
memory/4492-14-0x00007FF7C7010000-0x00007FF7C7364000-memory.dmp

Filesize
3.3MB

Download
memory/4492-142-0x00007FF7C7010000-0x00007FF7C7364000-memory.dmp

Filesize
3.3MB

Download
memory/4492-125-0x00007FF7C7010000-0x00007FF7C7364000-memory.dmp

Filesize
3.3MB

Download
memory/4504-58-0x00007FF6251C0000-0x00007FF625514000-memory.dmp

Filesize
3.3MB

Download
memory/4504-135-0x00007FF6251C0000-0x00007FF625514000-memory.dmp

Filesize
3.3MB

Download
memory/4504-149-0x00007FF6251C0000-0x00007FF625514000-memory.dmp

Filesize
3.3MB

Download
memory/4600-153-0x00007FF6FFCC0000-0x00007FF700014000-memory.dmp

Filesize
3.3MB

Download
memory/4600-92-0x00007FF6FFCC0000-0x00007FF700014000-memory.dmp

Filesize
3.3MB

Download
memory/4700-24-0x00007FF762EE0000-0x00007FF763234000-memory.dmp

Filesize
3.3MB

Download
memory/4700-144-0x00007FF762EE0000-0x00007FF763234000-memory.dmp

Filesize
3.3MB

Download
memory/4700-132-0x00007FF762EE0000-0x00007FF763234000-memory.dmp

Filesize
3.3MB

Download
memory/4704-134-0x00007FF70A6A0000-0x00007FF70A9F4000-memory.dmp

Filesize
3.3MB

Download
memory/4704-50-0x00007FF70A6A0000-0x00007FF70A9F4000-memory.dmp

Filesize
3.3MB

Download
memory/4704-148-0x00007FF70A6A0000-0x00007FF70A9F4000-memory.dmp

Filesize
3.3MB

Download
memory/4740-1-0x00000211DB500000-0x00000211DB510000-memory.dmp

Filesize
64KB

Download
memory/4740-80-0x00007FF7D48F0000-0x00007FF7D4C44000-memory.dmp

Filesize
3.3MB

Download
memory/4740-0-0x00007FF7D48F0000-0x00007FF7D4C44000-memory.dmp

Filesize
3.3MB

Download
memory/4920-139-0x00007FF60FB30000-0x00007FF60FE84000-memory.dmp

Filesize
3.3MB

Download
memory/4920-119-0x00007FF60FB30000-0x00007FF60FE84000-memory.dmp

Filesize
3.3MB

Download
memory/4920-160-0x00007FF60FB30000-0x00007FF60FE84000-memory.dmp

Filesize
3.3MB

Download
memory/4924-158-0x00007FF797780000-0x00007FF797AD4000-memory.dmp

Filesize
3.3MB

Download
memory/4924-129-0x00007FF797780000-0x00007FF797AD4000-memory.dmp

Filesize
3.3MB

Download
memory/5008-19-0x00007FF7F0320000-0x00007FF7F0674000-memory.dmp

Filesize
3.3MB

Download
memory/5008-126-0x00007FF7F0320000-0x00007FF7F0674000-memory.dmp

Filesize
3.3MB

Download
memory/5008-143-0x00007FF7F0320000-0x00007FF7F0674000-memory.dmp

Filesize
3.3MB

Download