cobaltstrike | 50ae37b1eb10c084fcb62903ccf822fe4faa77e402d62e4c497fbea27e02e927

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

426b22a573fcc58a628a1099c6785775
SHA1

7d7c0d8b4a1bafe67c52fb8e2dfb7db489f53d52
SHA256

50ae37b1eb10c084fcb62903ccf822fe4faa77e402d62e4c497fbea27e02e927
SHA512

b212abfb0b9a3c5a20a62aea0b99d3731a56a9e86b2f2b5416c8ab72240624ce801c43dc9e8fd664691100d0c15e61ed9bfd1d53f643fdfbed95b290143d1698
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUj:Q+856utgpPF8u/7j

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023432-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-35.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023430-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023438-49.dat	cobalt_reflective_dll
behavioral2/files/0x000b00000002296a-53.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023392-60.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023394-69.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343c-91.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-114.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023440-123.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-110.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343b-90.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-87.dat	cobalt_reflective_dll
behavioral2/files/0x000c000000023393-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023442-135.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023441-129.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023432-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023433-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023434-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023435-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023436-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023437-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023430-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023438-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000b00000002296a-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000a000000023392-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000b000000023394-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343c-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343f-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343e-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023440-123.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343d-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343b-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343a-87.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000c000000023393-76.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023442-135.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023441-129.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/2692-0-0x00007FF795440000-0x00007FF795794000-memory.dmp	UPX
behavioral2/files/0x0008000000023432-4.dat	UPX
behavioral2/files/0x0007000000023433-11.dat	UPX
behavioral2/files/0x0007000000023434-12.dat	UPX
behavioral2/memory/1380-14-0x00007FF62A530000-0x00007FF62A884000-memory.dmp	UPX
behavioral2/memory/1588-8-0x00007FF66CC80000-0x00007FF66CFD4000-memory.dmp	UPX
behavioral2/memory/2344-20-0x00007FF704EB0000-0x00007FF705204000-memory.dmp	UPX
behavioral2/files/0x0007000000023435-24.dat	UPX
behavioral2/files/0x0007000000023436-28.dat	UPX
behavioral2/memory/3568-30-0x00007FF7553E0000-0x00007FF755734000-memory.dmp	UPX
behavioral2/memory/1748-25-0x00007FF708710000-0x00007FF708A64000-memory.dmp	UPX
behavioral2/files/0x0007000000023437-35.dat	UPX
behavioral2/files/0x0008000000023430-38.dat	UPX
behavioral2/memory/4116-43-0x00007FF735250000-0x00007FF7355A4000-memory.dmp	UPX
behavioral2/memory/3656-37-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp	UPX
behavioral2/files/0x0007000000023438-49.dat	UPX
behavioral2/files/0x000b00000002296a-53.dat	UPX
behavioral2/memory/4200-54-0x00007FF6F3900000-0x00007FF6F3C54000-memory.dmp	UPX
behavioral2/files/0x000a000000023392-60.dat	UPX
behavioral2/memory/2692-64-0x00007FF795440000-0x00007FF795794000-memory.dmp	UPX
behavioral2/memory/1588-67-0x00007FF66CC80000-0x00007FF66CFD4000-memory.dmp	UPX
behavioral2/files/0x000b000000023394-69.dat	UPX
behavioral2/files/0x000700000002343c-91.dat	UPX
behavioral2/memory/5080-105-0x00007FF60E280000-0x00007FF60E5D4000-memory.dmp	UPX
behavioral2/files/0x000700000002343f-114.dat	UPX
behavioral2/files/0x000700000002343e-112.dat	UPX
behavioral2/files/0x0007000000023440-123.dat	UPX
behavioral2/memory/4928-122-0x00007FF66D9C0000-0x00007FF66DD14000-memory.dmp	UPX
behavioral2/memory/4116-121-0x00007FF735250000-0x00007FF7355A4000-memory.dmp	UPX
behavioral2/memory/1832-119-0x00007FF76A920000-0x00007FF76AC74000-memory.dmp	UPX
behavioral2/files/0x000700000002343d-110.dat	UPX
behavioral2/memory/1500-109-0x00007FF69BBC0000-0x00007FF69BF14000-memory.dmp	UPX
behavioral2/memory/2152-108-0x00007FF66D240000-0x00007FF66D594000-memory.dmp	UPX
behavioral2/memory/3656-104-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp	UPX
behavioral2/memory/3568-97-0x00007FF7553E0000-0x00007FF755734000-memory.dmp	UPX
behavioral2/memory/3848-96-0x00007FF74B060000-0x00007FF74B3B4000-memory.dmp	UPX
behavioral2/memory/224-88-0x00007FF6BCFB0000-0x00007FF6BD304000-memory.dmp	UPX
behavioral2/files/0x000700000002343b-90.dat	UPX
behavioral2/memory/1748-89-0x00007FF708710000-0x00007FF708A64000-memory.dmp	UPX
behavioral2/memory/2344-82-0x00007FF704EB0000-0x00007FF705204000-memory.dmp	UPX
behavioral2/memory/1140-81-0x00007FF686C60000-0x00007FF686FB4000-memory.dmp	UPX
behavioral2/files/0x000700000002343a-87.dat	UPX
behavioral2/files/0x000c000000023393-76.dat	UPX
behavioral2/memory/1380-74-0x00007FF62A530000-0x00007FF62A884000-memory.dmp	UPX
behavioral2/memory/4488-70-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp	UPX
behavioral2/memory/4208-66-0x00007FF642E20000-0x00007FF643174000-memory.dmp	UPX
behavioral2/memory/3988-48-0x00007FF6618F0000-0x00007FF661C44000-memory.dmp	UPX
behavioral2/memory/4200-133-0x00007FF6F3900000-0x00007FF6F3C54000-memory.dmp	UPX
behavioral2/files/0x0007000000023442-135.dat	UPX
behavioral2/memory/3200-132-0x00007FF7E1920000-0x00007FF7E1C74000-memory.dmp	UPX
behavioral2/memory/3988-128-0x00007FF6618F0000-0x00007FF661C44000-memory.dmp	UPX
behavioral2/files/0x0007000000023441-129.dat	UPX
behavioral2/memory/2876-137-0x00007FF6A8B80000-0x00007FF6A8ED4000-memory.dmp	UPX
behavioral2/memory/4488-138-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp	UPX
behavioral2/memory/224-139-0x00007FF6BCFB0000-0x00007FF6BD304000-memory.dmp	UPX
behavioral2/memory/3848-140-0x00007FF74B060000-0x00007FF74B3B4000-memory.dmp	UPX
behavioral2/memory/1500-143-0x00007FF69BBC0000-0x00007FF69BF14000-memory.dmp	UPX
behavioral2/memory/2152-142-0x00007FF66D240000-0x00007FF66D594000-memory.dmp	UPX
behavioral2/memory/5080-141-0x00007FF60E280000-0x00007FF60E5D4000-memory.dmp	UPX
behavioral2/memory/3200-145-0x00007FF7E1920000-0x00007FF7E1C74000-memory.dmp	UPX
behavioral2/memory/4928-144-0x00007FF66D9C0000-0x00007FF66DD14000-memory.dmp	UPX
behavioral2/memory/2876-146-0x00007FF6A8B80000-0x00007FF6A8ED4000-memory.dmp	UPX
behavioral2/memory/1588-147-0x00007FF66CC80000-0x00007FF66CFD4000-memory.dmp	UPX
behavioral2/memory/1380-148-0x00007FF62A530000-0x00007FF62A884000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2692-0-0x00007FF795440000-0x00007FF795794000-memory.dmp	xmrig
behavioral2/files/0x0008000000023432-4.dat	xmrig
behavioral2/files/0x0007000000023433-11.dat	xmrig
behavioral2/files/0x0007000000023434-12.dat	xmrig
behavioral2/memory/1380-14-0x00007FF62A530000-0x00007FF62A884000-memory.dmp	xmrig
behavioral2/memory/1588-8-0x00007FF66CC80000-0x00007FF66CFD4000-memory.dmp	xmrig
behavioral2/memory/2344-20-0x00007FF704EB0000-0x00007FF705204000-memory.dmp	xmrig
behavioral2/files/0x0007000000023435-24.dat	xmrig
behavioral2/files/0x0007000000023436-28.dat	xmrig
behavioral2/memory/3568-30-0x00007FF7553E0000-0x00007FF755734000-memory.dmp	xmrig
behavioral2/memory/1748-25-0x00007FF708710000-0x00007FF708A64000-memory.dmp	xmrig
behavioral2/files/0x0007000000023437-35.dat	xmrig
behavioral2/files/0x0008000000023430-38.dat	xmrig
behavioral2/memory/4116-43-0x00007FF735250000-0x00007FF7355A4000-memory.dmp	xmrig
behavioral2/memory/3656-37-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp	xmrig
behavioral2/files/0x0007000000023438-49.dat	xmrig
behavioral2/files/0x000b00000002296a-53.dat	xmrig
behavioral2/memory/4200-54-0x00007FF6F3900000-0x00007FF6F3C54000-memory.dmp	xmrig
behavioral2/files/0x000a000000023392-60.dat	xmrig
behavioral2/memory/2692-64-0x00007FF795440000-0x00007FF795794000-memory.dmp	xmrig
behavioral2/memory/1588-67-0x00007FF66CC80000-0x00007FF66CFD4000-memory.dmp	xmrig
behavioral2/files/0x000b000000023394-69.dat	xmrig
behavioral2/files/0x000700000002343c-91.dat	xmrig
behavioral2/memory/5080-105-0x00007FF60E280000-0x00007FF60E5D4000-memory.dmp	xmrig
behavioral2/files/0x000700000002343f-114.dat	xmrig
behavioral2/files/0x000700000002343e-112.dat	xmrig
behavioral2/files/0x0007000000023440-123.dat	xmrig
behavioral2/memory/4928-122-0x00007FF66D9C0000-0x00007FF66DD14000-memory.dmp	xmrig
behavioral2/memory/4116-121-0x00007FF735250000-0x00007FF7355A4000-memory.dmp	xmrig
behavioral2/memory/1832-119-0x00007FF76A920000-0x00007FF76AC74000-memory.dmp	xmrig
behavioral2/files/0x000700000002343d-110.dat	xmrig
behavioral2/memory/1500-109-0x00007FF69BBC0000-0x00007FF69BF14000-memory.dmp	xmrig
behavioral2/memory/2152-108-0x00007FF66D240000-0x00007FF66D594000-memory.dmp	xmrig
behavioral2/memory/3656-104-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp	xmrig
behavioral2/memory/3568-97-0x00007FF7553E0000-0x00007FF755734000-memory.dmp	xmrig
behavioral2/memory/3848-96-0x00007FF74B060000-0x00007FF74B3B4000-memory.dmp	xmrig
behavioral2/memory/224-88-0x00007FF6BCFB0000-0x00007FF6BD304000-memory.dmp	xmrig
behavioral2/files/0x000700000002343b-90.dat	xmrig
behavioral2/memory/1748-89-0x00007FF708710000-0x00007FF708A64000-memory.dmp	xmrig
behavioral2/memory/2344-82-0x00007FF704EB0000-0x00007FF705204000-memory.dmp	xmrig
behavioral2/memory/1140-81-0x00007FF686C60000-0x00007FF686FB4000-memory.dmp	xmrig
behavioral2/files/0x000700000002343a-87.dat	xmrig
behavioral2/files/0x000c000000023393-76.dat	xmrig
behavioral2/memory/1380-74-0x00007FF62A530000-0x00007FF62A884000-memory.dmp	xmrig
behavioral2/memory/4488-70-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp	xmrig
behavioral2/memory/4208-66-0x00007FF642E20000-0x00007FF643174000-memory.dmp	xmrig
behavioral2/memory/3988-48-0x00007FF6618F0000-0x00007FF661C44000-memory.dmp	xmrig
behavioral2/memory/4200-133-0x00007FF6F3900000-0x00007FF6F3C54000-memory.dmp	xmrig
behavioral2/files/0x0007000000023442-135.dat	xmrig
behavioral2/memory/3200-132-0x00007FF7E1920000-0x00007FF7E1C74000-memory.dmp	xmrig
behavioral2/memory/3988-128-0x00007FF6618F0000-0x00007FF661C44000-memory.dmp	xmrig
behavioral2/files/0x0007000000023441-129.dat	xmrig
behavioral2/memory/2876-137-0x00007FF6A8B80000-0x00007FF6A8ED4000-memory.dmp	xmrig
behavioral2/memory/4488-138-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp	xmrig
behavioral2/memory/224-139-0x00007FF6BCFB0000-0x00007FF6BD304000-memory.dmp	xmrig
behavioral2/memory/3848-140-0x00007FF74B060000-0x00007FF74B3B4000-memory.dmp	xmrig
behavioral2/memory/1500-143-0x00007FF69BBC0000-0x00007FF69BF14000-memory.dmp	xmrig
behavioral2/memory/2152-142-0x00007FF66D240000-0x00007FF66D594000-memory.dmp	xmrig
behavioral2/memory/5080-141-0x00007FF60E280000-0x00007FF60E5D4000-memory.dmp	xmrig
behavioral2/memory/3200-145-0x00007FF7E1920000-0x00007FF7E1C74000-memory.dmp	xmrig
behavioral2/memory/4928-144-0x00007FF66D9C0000-0x00007FF66DD14000-memory.dmp	xmrig
behavioral2/memory/2876-146-0x00007FF6A8B80000-0x00007FF6A8ED4000-memory.dmp	xmrig
behavioral2/memory/1588-147-0x00007FF66CC80000-0x00007FF66CFD4000-memory.dmp	xmrig
behavioral2/memory/1380-148-0x00007FF62A530000-0x00007FF62A884000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1588	giMtknl.exe
1380	LWpmqSl.exe
2344	rlSoUBw.exe
1748	MyMNvVX.exe
3568	XpYBcxK.exe
3656	hHIWUnA.exe
4116	ckCSlND.exe
3988	OWReGtc.exe
4200	duLRmrU.exe
4208	TGGPTqR.exe
4488	HvxKoBo.exe
1140	eiPtstu.exe
224	naWAwWv.exe
3848	swvpOdD.exe
5080	mhRjaPi.exe
1832	AtJSWen.exe
2152	nTYVEVA.exe
1500	njKBLGX.exe
4928	lbBDMNO.exe
3200	Opdwcqi.exe
2876	ysaZblL.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2692-0-0x00007FF795440000-0x00007FF795794000-memory.dmp	upx
behavioral2/files/0x0008000000023432-4.dat	upx
behavioral2/files/0x0007000000023433-11.dat	upx
behavioral2/files/0x0007000000023434-12.dat	upx
behavioral2/memory/1380-14-0x00007FF62A530000-0x00007FF62A884000-memory.dmp	upx
behavioral2/memory/1588-8-0x00007FF66CC80000-0x00007FF66CFD4000-memory.dmp	upx
behavioral2/memory/2344-20-0x00007FF704EB0000-0x00007FF705204000-memory.dmp	upx
behavioral2/files/0x0007000000023435-24.dat	upx
behavioral2/files/0x0007000000023436-28.dat	upx
behavioral2/memory/3568-30-0x00007FF7553E0000-0x00007FF755734000-memory.dmp	upx
behavioral2/memory/1748-25-0x00007FF708710000-0x00007FF708A64000-memory.dmp	upx
behavioral2/files/0x0007000000023437-35.dat	upx
behavioral2/files/0x0008000000023430-38.dat	upx
behavioral2/memory/4116-43-0x00007FF735250000-0x00007FF7355A4000-memory.dmp	upx
behavioral2/memory/3656-37-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp	upx
behavioral2/files/0x0007000000023438-49.dat	upx
behavioral2/files/0x000b00000002296a-53.dat	upx
behavioral2/memory/4200-54-0x00007FF6F3900000-0x00007FF6F3C54000-memory.dmp	upx
behavioral2/files/0x000a000000023392-60.dat	upx
behavioral2/memory/2692-64-0x00007FF795440000-0x00007FF795794000-memory.dmp	upx
behavioral2/memory/1588-67-0x00007FF66CC80000-0x00007FF66CFD4000-memory.dmp	upx
behavioral2/files/0x000b000000023394-69.dat	upx
behavioral2/files/0x000700000002343c-91.dat	upx
behavioral2/memory/5080-105-0x00007FF60E280000-0x00007FF60E5D4000-memory.dmp	upx
behavioral2/files/0x000700000002343f-114.dat	upx
behavioral2/files/0x000700000002343e-112.dat	upx
behavioral2/files/0x0007000000023440-123.dat	upx
behavioral2/memory/4928-122-0x00007FF66D9C0000-0x00007FF66DD14000-memory.dmp	upx
behavioral2/memory/4116-121-0x00007FF735250000-0x00007FF7355A4000-memory.dmp	upx
behavioral2/memory/1832-119-0x00007FF76A920000-0x00007FF76AC74000-memory.dmp	upx
behavioral2/files/0x000700000002343d-110.dat	upx
behavioral2/memory/1500-109-0x00007FF69BBC0000-0x00007FF69BF14000-memory.dmp	upx
behavioral2/memory/2152-108-0x00007FF66D240000-0x00007FF66D594000-memory.dmp	upx
behavioral2/memory/3656-104-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp	upx
behavioral2/memory/3568-97-0x00007FF7553E0000-0x00007FF755734000-memory.dmp	upx
behavioral2/memory/3848-96-0x00007FF74B060000-0x00007FF74B3B4000-memory.dmp	upx
behavioral2/memory/224-88-0x00007FF6BCFB0000-0x00007FF6BD304000-memory.dmp	upx
behavioral2/files/0x000700000002343b-90.dat	upx
behavioral2/memory/1748-89-0x00007FF708710000-0x00007FF708A64000-memory.dmp	upx
behavioral2/memory/2344-82-0x00007FF704EB0000-0x00007FF705204000-memory.dmp	upx
behavioral2/memory/1140-81-0x00007FF686C60000-0x00007FF686FB4000-memory.dmp	upx
behavioral2/files/0x000700000002343a-87.dat	upx
behavioral2/files/0x000c000000023393-76.dat	upx
behavioral2/memory/1380-74-0x00007FF62A530000-0x00007FF62A884000-memory.dmp	upx
behavioral2/memory/4488-70-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp	upx
behavioral2/memory/4208-66-0x00007FF642E20000-0x00007FF643174000-memory.dmp	upx
behavioral2/memory/3988-48-0x00007FF6618F0000-0x00007FF661C44000-memory.dmp	upx
behavioral2/memory/4200-133-0x00007FF6F3900000-0x00007FF6F3C54000-memory.dmp	upx
behavioral2/files/0x0007000000023442-135.dat	upx
behavioral2/memory/3200-132-0x00007FF7E1920000-0x00007FF7E1C74000-memory.dmp	upx
behavioral2/memory/3988-128-0x00007FF6618F0000-0x00007FF661C44000-memory.dmp	upx
behavioral2/files/0x0007000000023441-129.dat	upx
behavioral2/memory/2876-137-0x00007FF6A8B80000-0x00007FF6A8ED4000-memory.dmp	upx
behavioral2/memory/4488-138-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp	upx
behavioral2/memory/224-139-0x00007FF6BCFB0000-0x00007FF6BD304000-memory.dmp	upx
behavioral2/memory/3848-140-0x00007FF74B060000-0x00007FF74B3B4000-memory.dmp	upx
behavioral2/memory/1500-143-0x00007FF69BBC0000-0x00007FF69BF14000-memory.dmp	upx
behavioral2/memory/2152-142-0x00007FF66D240000-0x00007FF66D594000-memory.dmp	upx
behavioral2/memory/5080-141-0x00007FF60E280000-0x00007FF60E5D4000-memory.dmp	upx
behavioral2/memory/3200-145-0x00007FF7E1920000-0x00007FF7E1C74000-memory.dmp	upx
behavioral2/memory/4928-144-0x00007FF66D9C0000-0x00007FF66DD14000-memory.dmp	upx
behavioral2/memory/2876-146-0x00007FF6A8B80000-0x00007FF6A8ED4000-memory.dmp	upx
behavioral2/memory/1588-147-0x00007FF66CC80000-0x00007FF66CFD4000-memory.dmp	upx
behavioral2/memory/1380-148-0x00007FF62A530000-0x00007FF62A884000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\XpYBcxK.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mhRjaPi.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ysaZblL.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lbBDMNO.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\giMtknl.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MyMNvVX.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hHIWUnA.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OWReGtc.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\duLRmrU.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AtJSWen.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nTYVEVA.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rlSoUBw.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eiPtstu.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\swvpOdD.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\njKBLGX.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Opdwcqi.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LWpmqSl.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ckCSlND.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TGGPTqR.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HvxKoBo.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\naWAwWv.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 1588	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	82
PID 2692 wrote to memory of 1588	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	82
PID 2692 wrote to memory of 1380	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	83
PID 2692 wrote to memory of 1380	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	83
PID 2692 wrote to memory of 2344	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	84
PID 2692 wrote to memory of 2344	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	84
PID 2692 wrote to memory of 1748	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	85
PID 2692 wrote to memory of 1748	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	85
PID 2692 wrote to memory of 3568	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	86
PID 2692 wrote to memory of 3568	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	86
PID 2692 wrote to memory of 3656	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	88
PID 2692 wrote to memory of 3656	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	88
PID 2692 wrote to memory of 4116	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	92
PID 2692 wrote to memory of 4116	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	92
PID 2692 wrote to memory of 3988	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	93
PID 2692 wrote to memory of 3988	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	93
PID 2692 wrote to memory of 4200	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	94
PID 2692 wrote to memory of 4200	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	94
PID 2692 wrote to memory of 4208	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	95
PID 2692 wrote to memory of 4208	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	95
PID 2692 wrote to memory of 4488	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	96
PID 2692 wrote to memory of 4488	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	96
PID 2692 wrote to memory of 1140	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	97
PID 2692 wrote to memory of 1140	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	97
PID 2692 wrote to memory of 224	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	98
PID 2692 wrote to memory of 224	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	98
PID 2692 wrote to memory of 3848	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	99
PID 2692 wrote to memory of 3848	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	99
PID 2692 wrote to memory of 5080	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	100
PID 2692 wrote to memory of 5080	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	100
PID 2692 wrote to memory of 1832	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	101
PID 2692 wrote to memory of 1832	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	101
PID 2692 wrote to memory of 2152	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	102
PID 2692 wrote to memory of 2152	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	102
PID 2692 wrote to memory of 1500	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	103
PID 2692 wrote to memory of 1500	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	103
PID 2692 wrote to memory of 4928	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	104
PID 2692 wrote to memory of 4928	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	104
PID 2692 wrote to memory of 3200	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	105
PID 2692 wrote to memory of 3200	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	105
PID 2692 wrote to memory of 2876	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	106
PID 2692 wrote to memory of 2876	2692	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\System\giMtknl.exe
  C:\Windows\System\giMtknl.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\LWpmqSl.exe
  C:\Windows\System\LWpmqSl.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\rlSoUBw.exe
  C:\Windows\System\rlSoUBw.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\MyMNvVX.exe
  C:\Windows\System\MyMNvVX.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\XpYBcxK.exe
  C:\Windows\System\XpYBcxK.exe
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Windows\System\hHIWUnA.exe
  C:\Windows\System\hHIWUnA.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System\ckCSlND.exe
  C:\Windows\System\ckCSlND.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System\OWReGtc.exe
  C:\Windows\System\OWReGtc.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\duLRmrU.exe
  C:\Windows\System\duLRmrU.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\TGGPTqR.exe
  C:\Windows\System\TGGPTqR.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System\HvxKoBo.exe
  C:\Windows\System\HvxKoBo.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\eiPtstu.exe
  C:\Windows\System\eiPtstu.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\naWAwWv.exe
  C:\Windows\System\naWAwWv.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System\swvpOdD.exe
  C:\Windows\System\swvpOdD.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\mhRjaPi.exe
  C:\Windows\System\mhRjaPi.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\AtJSWen.exe
  C:\Windows\System\AtJSWen.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\nTYVEVA.exe
  C:\Windows\System\nTYVEVA.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\njKBLGX.exe
  C:\Windows\System\njKBLGX.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System\lbBDMNO.exe
  C:\Windows\System\lbBDMNO.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\Opdwcqi.exe
  C:\Windows\System\Opdwcqi.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System\ysaZblL.exe
  C:\Windows\System\ysaZblL.exe
  2⤵
  - Executes dropped EXE
  PID:2876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AtJSWen.exe

Filesize
5.9MB

MD5
f6f157844062ea3639c9a075280940d4

SHA1
ba68c1a59a830ef98831ac0acabb0431c6eb0e6b

SHA256
94b9169702fcbb9a29ca81cca5d797999fae1210ce236cc6383ad57735ab898d

SHA512
e3333ec70492b1c2e34b34d86df6676cc2f395d61f60571adb545bd455918ea4a5bc5b5157ae88650475bd5f485b68e8712eab6356e99f5e9344dfa66ad290df

Download Submit
C:\Windows\System\HvxKoBo.exe

Filesize
5.9MB

MD5
aad565257985a4c5daada2f5dd88ab9e

SHA1
ce7a9122c8a816e9c9d32083a760fa4a1a1a1da0

SHA256
7981bca3f54ceffbd00dac218742f94a335812726064570435bad1c46e806fcc

SHA512
c886045fcec21e1bb3ec6ed4c799a3aadec184a3cf491c9ea52b4855c8200c47ffeb5562d7ebdb30ce5dd2df20e08f99e34d3e26d827b062c0df881a3f76ad36

Download Submit
C:\Windows\System\LWpmqSl.exe

Filesize
5.9MB

MD5
4d64b2589b80c7e648402ff7bbcbc1a9

SHA1
46f5c4c7b5a9ab5e448eda69838b6907dcb78591

SHA256
fda700d23a665b8cf891954e3a682c7d1b0efa557cded4dbf1a6f8abcbba1d2e

SHA512
c4db971c0d5597b41cc1caa5fa01ec0bd438ff5c74313ec96a221d76e3ef7449ab736afdeb03ee27c7c196f6743193e05ac234f425de7ea8ac04e8c3c1ea92c2

Download Submit
C:\Windows\System\MyMNvVX.exe

Filesize
5.9MB

MD5
28eb4d56f6d7688e7b2232fdf2d7acc0

SHA1
964ccdfaa0300afdde263c324637a5f2f5fd4c2b

SHA256
2838f4fcaccb9930d92317abfba003d7954610df03cfc7664e6c7ff5f591a43a

SHA512
245591b5103a2da436c99acccd84dc5a4c30b547b8d59bb013bab5094c40e3bf732f316568dec4037f5b0f2b470edec6b26a5079ece8eed65c0af55bde4d18bf

Download Submit
C:\Windows\System\OWReGtc.exe

Filesize
5.9MB

MD5
ae9b9df9e7ed8bdee1e2eb9a1c060609

SHA1
5e91450e8c7576eb9f36d69ea1e80b4340f5bfb6

SHA256
cef8023b8dd567e3e673b408c3783e4b2bcbc04e51d6cec1408cf5c6763bb9a0

SHA512
bfff81662fa292a8378835f53a65d9c04341868869d8e10207551e07082a6f12e12db36d0e4dbf5e131d4ce33a3031ad5abdcdbef1960d441fa4b11c9e131a1b

Download Submit
C:\Windows\System\Opdwcqi.exe

Filesize
5.9MB

MD5
56e84320e5de8eb147e9e4b61b9eecf1

SHA1
2c1f9f02bc3876b584db4d36ee88f1752e54e959

SHA256
bbc299d2cc6abda4aad3b56522c0b618b17bf2abbda01368b8399e3ba38643f8

SHA512
a6c920676b079a8a98016e1d99086751e4343e85200567402c6430c22f919b1827e7a9b0da606f4f2a67e7c97958cd1d31e5711a405e6bce5fa9af0720283a8e

Download Submit
C:\Windows\System\TGGPTqR.exe

Filesize
5.9MB

MD5
8a88cef7c771c9478b93bde94484392d

SHA1
05e233848e4786cf32d995774ad058526bd73fc2

SHA256
8d579beab91ee608664aa053860de1dbda2077c8c96b6c0fa2a3dda8eff5a55e

SHA512
d6215a6ba457d8d42181c67c9dfca106d75fc0bc1d0998fed9f3cead4dfbd5ec63852138a66a2de32ec44f6bd197558a2d85c678200285277217e14482e9d064

Download Submit
C:\Windows\System\XpYBcxK.exe

Filesize
5.9MB

MD5
8e1ebab0961a2c52f80a2bdad45cd3cb

SHA1
846861b8853aebc3a8cad71e16acef2ea78e5e48

SHA256
31a045cfb06640e55ad8d747b15908ba2cff4f2df0de5483f0f7e92dcb2bc86a

SHA512
df2a97d805192adf49f1c95ab49e85eeba7f7da7adb464364cbfc56579dd8008f884f88128cbdbb83951203bdf555dc54999fb2d43343420434cb2eb298acdb9

Download Submit
C:\Windows\System\ckCSlND.exe

Filesize
5.9MB

MD5
c53c585be74a9d586cb7068e9bb65eb2

SHA1
202d6bd727fbdaab9f469ecff7b2d3537f0c2b64

SHA256
44e1012a3806c7423eb3c7f6fda4ce804990b05b31cab932d915e428583472b6

SHA512
10497b170326385d085ec85f8bdb7291a3f03609c2cd7e5bb60d60ab13a17592f8f8bc58087397992812a1b48a7f6db9c567b40191dde5622ef317c7c06556cf

Download Submit
C:\Windows\System\duLRmrU.exe

Filesize
5.9MB

MD5
d88c36a9b1f8f11fdc4b4e543c77b46a

SHA1
fdd90e79a386423d07094bcd8f785d4588013e11

SHA256
c45839500815ebed8df5458a5d8e44ea2c09c0bbc4f53c0a51938afa02efc744

SHA512
cbbc6a42c01eafde8896a01007ae38dea2de003a429d203cb5d69e3c8e4dfd8a849569119f11e6420548dc208ce03aecc9ff11447be5e957cc0c36c5f8bb09ba

Download Submit
C:\Windows\System\eiPtstu.exe

Filesize
5.9MB

MD5
b2c7b1a16a04c978ec8d301d3d79e19f

SHA1
5face358c90fad1a2e6c8f439cb3cab8316aefc0

SHA256
22d1f52ae1d4575456418c17fdfbe6e580f8531a0a357ab1714ab644b111cf62

SHA512
8b4b27bf9f4b02c1999e837b21c7a8dde57bdb1d01fefe5bc65604d9750704cfa6e2bb485c137c56b4d8e7290d8cc18b50295e48cb97f0396ae6dcd54248ad5c

Download Submit
C:\Windows\System\giMtknl.exe

Filesize
5.9MB

MD5
c97cad80ffbffdec581797fc1a79e74d

SHA1
75102ec56828dbba580b52d3ad6c7c5abf3c4c0a

SHA256
b54d18329c046e0a7a532f558a615bb5b769386fce54618b3939353c1ccc50d4

SHA512
2f70dec8bf062f0de40fb5adf0ce15147abf474f67b2f35ebbadeb91d57ea439da586e93d7e0ce7f30d1fbc8f2672fca52121a8bb1254726391e6ffabe9b00ce

Download Submit
C:\Windows\System\hHIWUnA.exe

Filesize
5.9MB

MD5
9d6bc88df172a98b9ee8bf0718dc046c

SHA1
67948b62fa6f1b7f040c44008b95b9636e195e86

SHA256
13a31a746e5312391fbe77ef0b4bd7b51710c80d537fcaec86aff7152a8b0e00

SHA512
4235911a5a7469184c9623169b5e82ff57cc2de4db96b647306e7a2c6faea21bf018a3e1ca5e2684e3e03466703142258fec37c59956613b6cd0e0ce39cabe8d

Download Submit
C:\Windows\System\lbBDMNO.exe

Filesize
5.9MB

MD5
6d948aa180325beb781e8248a5940052

SHA1
552e355f82ab464c51afa96ecc65123aaee1bb75

SHA256
e91a8e335992314b1298bbadf4506130d935e4de73c39e70bf02d9d4b8d7ecbd

SHA512
2512a3604823e27f59b733faf40d90e94f58afa4c0ab3d02e7b741ad6ad91e4ec341b6fbeac0eeacf96083a96f0e7db468d301c35a35f66707e15bcc4dd6305e

Download Submit
C:\Windows\System\mhRjaPi.exe

Filesize
5.9MB

MD5
ccb292f435e886517663c164f97b83c1

SHA1
2c6e4093c4022a8c73120a1c29765b7314715fef

SHA256
6fab8fce720fbb8a7f524a1e0015fd8355fe13016455e921bf84dcb1c761f3a4

SHA512
31ac8c7d1c0612684d7557fc10a8f37360765512cc27fcad746d54437d3534596117a9bd61e45dbb4f7bf68d1b76c4ad9cef35b020d58608b5a76520e42e48d8

Download Submit
C:\Windows\System\nTYVEVA.exe

Filesize
5.9MB

MD5
2899b0dfb40f402763424c12502cc350

SHA1
def2080319266e9476792d06aed922ca51a7f898

SHA256
42a400bb1413ffe454683dc7837eb42df6fc9f71819d3727a97c0454fbc3b218

SHA512
7b3e38c1e420505bc4eba99f6432c02b7211bc2b79f01fbb183b03d585749d1075b4330a65d733a218ea63a6d433dfb288a330d7bfc0664628e1d6b168ae52f8

Download Submit
C:\Windows\System\naWAwWv.exe

Filesize
5.9MB

MD5
6000619e801d0552f13e269b55c46273

SHA1
2953645a1f513fe93f9eeed73dcb621c61ef21ce

SHA256
6704e7ddbe30bff652d0e85a1a3b3f2ccb81dfc2cb531f9dcf595b10d13f6282

SHA512
c2d9f5bea2356ac136e75848262c84592caaeb5b509f52b48231fcb6b1ad9df10a6fe6c486da47a1828cfa55c5f5983e5209b3708d9bedb006d3a7811979e060

Download Submit
C:\Windows\System\njKBLGX.exe

Filesize
5.9MB

MD5
9f803cc0ed9e6356871497992998ff5a

SHA1
c7a98b8a3b9447f47a38e89cc0d94647bfc1aca1

SHA256
31505a06332026d89b26fe7cf17c0c9404f32bd4059d5eb0e7509132fc9cafa9

SHA512
b14ca4d33849f0d637f58fd4a806c1ffce6252de4a07b10badd2aded48ab418ed6f2b1399626701181d44af13c969773f04866254f4c6ada118c055c1138455f

Download Submit
C:\Windows\System\rlSoUBw.exe

Filesize
5.9MB

MD5
f31b8fd28d6d368d129a20691f069bad

SHA1
0bb7a7d39aca8dfef83d35ebb0ad718525da9ff5

SHA256
7641c40f3ca7bc8647439e93d26344d4ad5f634ea653ef7e685d63a000b296f8

SHA512
d90dbbd7e99851453a29db7ec84713fce85099100b6199cc1614e079e29a7a7b2c3abbad2e65b118f9a5479181df2f354253abfbdee4f92b6625bf524eaa6947

Download Submit
C:\Windows\System\swvpOdD.exe

Filesize
5.9MB

MD5
451c53e769a24b543a77e6c34216cbf0

SHA1
5d4424936781fa0640bc8e60873e80dd0e5ce266

SHA256
cd779654bac1a3493a0ca2deedc1287144fbfe92158e2a657c2157adce79faeb

SHA512
a453935166314f798d049c108c93584db8adc97af6be272edd0fc8259e2af26f6850c385e41707a8a9a342b44531f14fe5f4ef214191b88f7e1bafbf456dbcab

Download Submit
C:\Windows\System\ysaZblL.exe

Filesize
5.9MB

MD5
af6c816535dd0f3a18a11928aa605e71

SHA1
1d647aa89fad10cf18f58c93d9a8888bfad97213

SHA256
634f132393608a2b27c7ec2094b37989db4124f3868b53eccd0e88a191d0118b

SHA512
f627381790608d6463289f31d553b8faaf19b77981b336cc97053b03568041c1ab273715c88f75737eca45d0d2bffae643d1073aebaccff956714e193e39e684

Download Submit
memory/224-88-0x00007FF6BCFB0000-0x00007FF6BD304000-memory.dmp

Filesize
3.3MB

Download
memory/224-139-0x00007FF6BCFB0000-0x00007FF6BD304000-memory.dmp

Filesize
3.3MB

Download
memory/224-160-0x00007FF6BCFB0000-0x00007FF6BD304000-memory.dmp

Filesize
3.3MB

Download
memory/1140-81-0x00007FF686C60000-0x00007FF686FB4000-memory.dmp

Filesize
3.3MB

Download
memory/1140-157-0x00007FF686C60000-0x00007FF686FB4000-memory.dmp

Filesize
3.3MB

Download
memory/1380-148-0x00007FF62A530000-0x00007FF62A884000-memory.dmp

Filesize
3.3MB

Download
memory/1380-14-0x00007FF62A530000-0x00007FF62A884000-memory.dmp

Filesize
3.3MB

Download
memory/1380-74-0x00007FF62A530000-0x00007FF62A884000-memory.dmp

Filesize
3.3MB

Download
memory/1500-143-0x00007FF69BBC0000-0x00007FF69BF14000-memory.dmp

Filesize
3.3MB

Download
memory/1500-109-0x00007FF69BBC0000-0x00007FF69BF14000-memory.dmp

Filesize
3.3MB

Download
memory/1500-162-0x00007FF69BBC0000-0x00007FF69BF14000-memory.dmp

Filesize
3.3MB

Download
memory/1588-67-0x00007FF66CC80000-0x00007FF66CFD4000-memory.dmp

Filesize
3.3MB

Download
memory/1588-147-0x00007FF66CC80000-0x00007FF66CFD4000-memory.dmp

Filesize
3.3MB

Download
memory/1588-8-0x00007FF66CC80000-0x00007FF66CFD4000-memory.dmp

Filesize
3.3MB

Download
memory/1748-150-0x00007FF708710000-0x00007FF708A64000-memory.dmp

Filesize
3.3MB

Download
memory/1748-25-0x00007FF708710000-0x00007FF708A64000-memory.dmp

Filesize
3.3MB

Download
memory/1748-89-0x00007FF708710000-0x00007FF708A64000-memory.dmp

Filesize
3.3MB

Download
memory/1832-119-0x00007FF76A920000-0x00007FF76AC74000-memory.dmp

Filesize
3.3MB

Download
memory/1832-164-0x00007FF76A920000-0x00007FF76AC74000-memory.dmp

Filesize
3.3MB

Download
memory/2152-163-0x00007FF66D240000-0x00007FF66D594000-memory.dmp

Filesize
3.3MB

Download
memory/2152-142-0x00007FF66D240000-0x00007FF66D594000-memory.dmp

Filesize
3.3MB

Download
memory/2152-108-0x00007FF66D240000-0x00007FF66D594000-memory.dmp

Filesize
3.3MB

Download
memory/2344-82-0x00007FF704EB0000-0x00007FF705204000-memory.dmp

Filesize
3.3MB

Download
memory/2344-20-0x00007FF704EB0000-0x00007FF705204000-memory.dmp

Filesize
3.3MB

Download
memory/2344-149-0x00007FF704EB0000-0x00007FF705204000-memory.dmp

Filesize
3.3MB

Download
memory/2692-1-0x00000206F7BD0000-0x00000206F7BE0000-memory.dmp

Filesize
64KB

Download
memory/2692-0-0x00007FF795440000-0x00007FF795794000-memory.dmp

Filesize
3.3MB

Download
memory/2692-64-0x00007FF795440000-0x00007FF795794000-memory.dmp

Filesize
3.3MB

Download
memory/2876-167-0x00007FF6A8B80000-0x00007FF6A8ED4000-memory.dmp

Filesize
3.3MB

Download
memory/2876-146-0x00007FF6A8B80000-0x00007FF6A8ED4000-memory.dmp

Filesize
3.3MB

Download
memory/2876-137-0x00007FF6A8B80000-0x00007FF6A8ED4000-memory.dmp

Filesize
3.3MB

Download
memory/3200-166-0x00007FF7E1920000-0x00007FF7E1C74000-memory.dmp

Filesize
3.3MB

Download
memory/3200-132-0x00007FF7E1920000-0x00007FF7E1C74000-memory.dmp

Filesize
3.3MB

Download
memory/3200-145-0x00007FF7E1920000-0x00007FF7E1C74000-memory.dmp

Filesize
3.3MB

Download
memory/3568-97-0x00007FF7553E0000-0x00007FF755734000-memory.dmp

Filesize
3.3MB

Download
memory/3568-151-0x00007FF7553E0000-0x00007FF755734000-memory.dmp

Filesize
3.3MB

Download
memory/3568-30-0x00007FF7553E0000-0x00007FF755734000-memory.dmp

Filesize
3.3MB

Download
memory/3656-153-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp

Filesize
3.3MB

Download
memory/3656-37-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp

Filesize
3.3MB

Download
memory/3656-104-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp

Filesize
3.3MB

Download
memory/3848-140-0x00007FF74B060000-0x00007FF74B3B4000-memory.dmp

Filesize
3.3MB

Download
memory/3848-96-0x00007FF74B060000-0x00007FF74B3B4000-memory.dmp

Filesize
3.3MB

Download
memory/3848-159-0x00007FF74B060000-0x00007FF74B3B4000-memory.dmp

Filesize
3.3MB

Download
memory/3988-154-0x00007FF6618F0000-0x00007FF661C44000-memory.dmp

Filesize
3.3MB

Download
memory/3988-128-0x00007FF6618F0000-0x00007FF661C44000-memory.dmp

Filesize
3.3MB

Download
memory/3988-48-0x00007FF6618F0000-0x00007FF661C44000-memory.dmp

Filesize
3.3MB

Download
memory/4116-121-0x00007FF735250000-0x00007FF7355A4000-memory.dmp

Filesize
3.3MB

Download
memory/4116-43-0x00007FF735250000-0x00007FF7355A4000-memory.dmp

Filesize
3.3MB

Download
memory/4116-152-0x00007FF735250000-0x00007FF7355A4000-memory.dmp

Filesize
3.3MB

Download
memory/4200-133-0x00007FF6F3900000-0x00007FF6F3C54000-memory.dmp

Filesize
3.3MB

Download
memory/4200-155-0x00007FF6F3900000-0x00007FF6F3C54000-memory.dmp

Filesize
3.3MB

Download
memory/4200-54-0x00007FF6F3900000-0x00007FF6F3C54000-memory.dmp

Filesize
3.3MB

Download
memory/4208-66-0x00007FF642E20000-0x00007FF643174000-memory.dmp

Filesize
3.3MB

Download
memory/4208-156-0x00007FF642E20000-0x00007FF643174000-memory.dmp

Filesize
3.3MB

Download
memory/4488-138-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp

Filesize
3.3MB

Download
memory/4488-158-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp

Filesize
3.3MB

Download
memory/4488-70-0x00007FF738AD0000-0x00007FF738E24000-memory.dmp

Filesize
3.3MB

Download
memory/4928-144-0x00007FF66D9C0000-0x00007FF66DD14000-memory.dmp

Filesize
3.3MB

Download
memory/4928-165-0x00007FF66D9C0000-0x00007FF66DD14000-memory.dmp

Filesize
3.3MB

Download
memory/4928-122-0x00007FF66D9C0000-0x00007FF66DD14000-memory.dmp

Filesize
3.3MB

Download
memory/5080-161-0x00007FF60E280000-0x00007FF60E5D4000-memory.dmp

Filesize
3.3MB

Download
memory/5080-105-0x00007FF60E280000-0x00007FF60E5D4000-memory.dmp

Filesize
3.3MB

Download
memory/5080-141-0x00007FF60E280000-0x00007FF60E5D4000-memory.dmp

Filesize
3.3MB

Download