cobaltstrike | b218d86be1fedae2d797031f99246aab2959470fad548426d9d0b619fe9a4dc4

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

5a2e6ce520fb33fada7eb5729843e515
SHA1

0ecad18a5e7f0a721435aa284958720d775d350a
SHA256

b218d86be1fedae2d797031f99246aab2959470fad548426d9d0b619fe9a4dc4
SHA512

769d1ef8a5f43390b37bde35b2f60fa25906b8c18f9bf6a8a573a2b4cc246725937b662b9aa1eb5fea257bd32f087c0fe4d59d2044636b86cad4047962d5375a
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUJ:Q+856utgpPF8u/7J

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023492-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023493-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023494-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023495-22.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023490-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023496-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023497-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023499-49.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349a-58.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349d-80.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349e-83.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349c-75.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349b-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023498-51.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002349f-92.dat	cobalt_reflective_dll
behavioral2/files/0x0004000000022a49-99.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023406-111.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023407-116.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a1-121.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000234a2-131.dat	cobalt_reflective_dll
behavioral2/files/0x0014000000023401-118.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023492-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023493-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023494-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023495-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023490-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023496-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023497-42.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023499-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002349a-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002349d-80.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002349e-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002349c-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002349b-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023498-51.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002349f-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0004000000022a49-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000b000000023406-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000e000000023407-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234a1-121.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000234a2-131.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0014000000023401-118.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1396-0-0x00007FF794D10000-0x00007FF795064000-memory.dmp	UPX
behavioral2/files/0x0008000000023492-5.dat	UPX
behavioral2/memory/4644-6-0x00007FF75EFA0000-0x00007FF75F2F4000-memory.dmp	UPX
behavioral2/files/0x0007000000023493-11.dat	UPX
behavioral2/files/0x0007000000023494-10.dat	UPX
behavioral2/memory/3232-18-0x00007FF7CBC30000-0x00007FF7CBF84000-memory.dmp	UPX
behavioral2/memory/2868-17-0x00007FF7B6D00000-0x00007FF7B7054000-memory.dmp	UPX
behavioral2/files/0x0007000000023495-22.dat	UPX
behavioral2/files/0x0008000000023490-30.dat	UPX
behavioral2/memory/2060-31-0x00007FF64EBA0000-0x00007FF64EEF4000-memory.dmp	UPX
behavioral2/files/0x0007000000023496-35.dat	UPX
behavioral2/files/0x0007000000023497-42.dat	UPX
behavioral2/files/0x0007000000023499-49.dat	UPX
behavioral2/files/0x000700000002349a-58.dat	UPX
behavioral2/memory/3976-59-0x00007FF795FA0000-0x00007FF7962F4000-memory.dmp	UPX
behavioral2/memory/1616-62-0x00007FF61FD90000-0x00007FF6200E4000-memory.dmp	UPX
behavioral2/memory/1396-74-0x00007FF794D10000-0x00007FF795064000-memory.dmp	UPX
behavioral2/files/0x000700000002349d-80.dat	UPX
behavioral2/memory/4612-85-0x00007FF65DE60000-0x00007FF65E1B4000-memory.dmp	UPX
behavioral2/files/0x000700000002349e-83.dat	UPX
behavioral2/memory/2952-82-0x00007FF7920F0000-0x00007FF792444000-memory.dmp	UPX
behavioral2/memory/4644-81-0x00007FF75EFA0000-0x00007FF75F2F4000-memory.dmp	UPX
behavioral2/memory/2816-79-0x00007FF7F5860000-0x00007FF7F5BB4000-memory.dmp	UPX
behavioral2/memory/5032-78-0x00007FF631550000-0x00007FF6318A4000-memory.dmp	UPX
behavioral2/files/0x000700000002349c-75.dat	UPX
behavioral2/files/0x000700000002349b-70.dat	UPX
behavioral2/memory/3516-57-0x00007FF686060000-0x00007FF6863B4000-memory.dmp	UPX
behavioral2/files/0x0007000000023498-51.dat	UPX
behavioral2/memory/3248-46-0x00007FF773C00000-0x00007FF773F54000-memory.dmp	UPX
behavioral2/memory/3952-39-0x00007FF693840000-0x00007FF693B94000-memory.dmp	UPX
behavioral2/memory/3496-26-0x00007FF709690000-0x00007FF7099E4000-memory.dmp	UPX
behavioral2/files/0x000700000002349f-92.dat	UPX
behavioral2/files/0x0004000000022a49-99.dat	UPX
behavioral2/memory/3496-101-0x00007FF709690000-0x00007FF7099E4000-memory.dmp	UPX
behavioral2/memory/1128-102-0x00007FF624DA0000-0x00007FF6250F4000-memory.dmp	UPX
behavioral2/memory/2060-108-0x00007FF64EBA0000-0x00007FF64EEF4000-memory.dmp	UPX
behavioral2/files/0x000b000000023406-111.dat	UPX
behavioral2/files/0x000e000000023407-116.dat	UPX
behavioral2/files/0x00070000000234a1-121.dat	UPX
behavioral2/memory/3516-125-0x00007FF686060000-0x00007FF6863B4000-memory.dmp	UPX
behavioral2/files/0x00070000000234a2-131.dat	UPX
behavioral2/memory/2756-128-0x00007FF6E2C70000-0x00007FF6E2FC4000-memory.dmp	UPX
behavioral2/memory/2308-120-0x00007FF6AD4A0000-0x00007FF6AD7F4000-memory.dmp	UPX
behavioral2/files/0x0014000000023401-118.dat	UPX
behavioral2/memory/220-113-0x00007FF6A6510000-0x00007FF6A6864000-memory.dmp	UPX
behavioral2/memory/2096-110-0x00007FF7C14E0000-0x00007FF7C1834000-memory.dmp	UPX
behavioral2/memory/3340-95-0x00007FF706690000-0x00007FF7069E4000-memory.dmp	UPX
behavioral2/memory/3232-94-0x00007FF7CBC30000-0x00007FF7CBF84000-memory.dmp	UPX
behavioral2/memory/1616-133-0x00007FF61FD90000-0x00007FF6200E4000-memory.dmp	UPX
behavioral2/memory/4916-134-0x00007FF7726F0000-0x00007FF772A44000-memory.dmp	UPX
behavioral2/memory/2952-135-0x00007FF7920F0000-0x00007FF792444000-memory.dmp	UPX
behavioral2/memory/4612-136-0x00007FF65DE60000-0x00007FF65E1B4000-memory.dmp	UPX
behavioral2/memory/2096-137-0x00007FF7C14E0000-0x00007FF7C1834000-memory.dmp	UPX
behavioral2/memory/2308-138-0x00007FF6AD4A0000-0x00007FF6AD7F4000-memory.dmp	UPX
behavioral2/memory/2756-139-0x00007FF6E2C70000-0x00007FF6E2FC4000-memory.dmp	UPX
behavioral2/memory/4644-140-0x00007FF75EFA0000-0x00007FF75F2F4000-memory.dmp	UPX
behavioral2/memory/2868-141-0x00007FF7B6D00000-0x00007FF7B7054000-memory.dmp	UPX
behavioral2/memory/3232-142-0x00007FF7CBC30000-0x00007FF7CBF84000-memory.dmp	UPX
behavioral2/memory/3496-143-0x00007FF709690000-0x00007FF7099E4000-memory.dmp	UPX
behavioral2/memory/2060-144-0x00007FF64EBA0000-0x00007FF64EEF4000-memory.dmp	UPX
behavioral2/memory/3952-145-0x00007FF693840000-0x00007FF693B94000-memory.dmp	UPX
behavioral2/memory/3248-146-0x00007FF773C00000-0x00007FF773F54000-memory.dmp	UPX
behavioral2/memory/3976-147-0x00007FF795FA0000-0x00007FF7962F4000-memory.dmp	UPX
behavioral2/memory/3516-148-0x00007FF686060000-0x00007FF6863B4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1396-0-0x00007FF794D10000-0x00007FF795064000-memory.dmp	xmrig
behavioral2/files/0x0008000000023492-5.dat	xmrig
behavioral2/memory/4644-6-0x00007FF75EFA0000-0x00007FF75F2F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023493-11.dat	xmrig
behavioral2/files/0x0007000000023494-10.dat	xmrig
behavioral2/memory/3232-18-0x00007FF7CBC30000-0x00007FF7CBF84000-memory.dmp	xmrig
behavioral2/memory/2868-17-0x00007FF7B6D00000-0x00007FF7B7054000-memory.dmp	xmrig
behavioral2/files/0x0007000000023495-22.dat	xmrig
behavioral2/files/0x0008000000023490-30.dat	xmrig
behavioral2/memory/2060-31-0x00007FF64EBA0000-0x00007FF64EEF4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023496-35.dat	xmrig
behavioral2/files/0x0007000000023497-42.dat	xmrig
behavioral2/files/0x0007000000023499-49.dat	xmrig
behavioral2/files/0x000700000002349a-58.dat	xmrig
behavioral2/memory/3976-59-0x00007FF795FA0000-0x00007FF7962F4000-memory.dmp	xmrig
behavioral2/memory/1616-62-0x00007FF61FD90000-0x00007FF6200E4000-memory.dmp	xmrig
behavioral2/memory/1396-74-0x00007FF794D10000-0x00007FF795064000-memory.dmp	xmrig
behavioral2/files/0x000700000002349d-80.dat	xmrig
behavioral2/memory/4612-85-0x00007FF65DE60000-0x00007FF65E1B4000-memory.dmp	xmrig
behavioral2/files/0x000700000002349e-83.dat	xmrig
behavioral2/memory/2952-82-0x00007FF7920F0000-0x00007FF792444000-memory.dmp	xmrig
behavioral2/memory/4644-81-0x00007FF75EFA0000-0x00007FF75F2F4000-memory.dmp	xmrig
behavioral2/memory/2816-79-0x00007FF7F5860000-0x00007FF7F5BB4000-memory.dmp	xmrig
behavioral2/memory/5032-78-0x00007FF631550000-0x00007FF6318A4000-memory.dmp	xmrig
behavioral2/files/0x000700000002349c-75.dat	xmrig
behavioral2/files/0x000700000002349b-70.dat	xmrig
behavioral2/memory/3516-57-0x00007FF686060000-0x00007FF6863B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023498-51.dat	xmrig
behavioral2/memory/3248-46-0x00007FF773C00000-0x00007FF773F54000-memory.dmp	xmrig
behavioral2/memory/3952-39-0x00007FF693840000-0x00007FF693B94000-memory.dmp	xmrig
behavioral2/memory/3496-26-0x00007FF709690000-0x00007FF7099E4000-memory.dmp	xmrig
behavioral2/files/0x000700000002349f-92.dat	xmrig
behavioral2/files/0x0004000000022a49-99.dat	xmrig
behavioral2/memory/3496-101-0x00007FF709690000-0x00007FF7099E4000-memory.dmp	xmrig
behavioral2/memory/1128-102-0x00007FF624DA0000-0x00007FF6250F4000-memory.dmp	xmrig
behavioral2/memory/2060-108-0x00007FF64EBA0000-0x00007FF64EEF4000-memory.dmp	xmrig
behavioral2/files/0x000b000000023406-111.dat	xmrig
behavioral2/files/0x000e000000023407-116.dat	xmrig
behavioral2/files/0x00070000000234a1-121.dat	xmrig
behavioral2/memory/3516-125-0x00007FF686060000-0x00007FF6863B4000-memory.dmp	xmrig
behavioral2/files/0x00070000000234a2-131.dat	xmrig
behavioral2/memory/2756-128-0x00007FF6E2C70000-0x00007FF6E2FC4000-memory.dmp	xmrig
behavioral2/memory/2308-120-0x00007FF6AD4A0000-0x00007FF6AD7F4000-memory.dmp	xmrig
behavioral2/files/0x0014000000023401-118.dat	xmrig
behavioral2/memory/220-113-0x00007FF6A6510000-0x00007FF6A6864000-memory.dmp	xmrig
behavioral2/memory/2096-110-0x00007FF7C14E0000-0x00007FF7C1834000-memory.dmp	xmrig
behavioral2/memory/3340-95-0x00007FF706690000-0x00007FF7069E4000-memory.dmp	xmrig
behavioral2/memory/3232-94-0x00007FF7CBC30000-0x00007FF7CBF84000-memory.dmp	xmrig
behavioral2/memory/1616-133-0x00007FF61FD90000-0x00007FF6200E4000-memory.dmp	xmrig
behavioral2/memory/4916-134-0x00007FF7726F0000-0x00007FF772A44000-memory.dmp	xmrig
behavioral2/memory/2952-135-0x00007FF7920F0000-0x00007FF792444000-memory.dmp	xmrig
behavioral2/memory/4612-136-0x00007FF65DE60000-0x00007FF65E1B4000-memory.dmp	xmrig
behavioral2/memory/2096-137-0x00007FF7C14E0000-0x00007FF7C1834000-memory.dmp	xmrig
behavioral2/memory/2308-138-0x00007FF6AD4A0000-0x00007FF6AD7F4000-memory.dmp	xmrig
behavioral2/memory/2756-139-0x00007FF6E2C70000-0x00007FF6E2FC4000-memory.dmp	xmrig
behavioral2/memory/4644-140-0x00007FF75EFA0000-0x00007FF75F2F4000-memory.dmp	xmrig
behavioral2/memory/2868-141-0x00007FF7B6D00000-0x00007FF7B7054000-memory.dmp	xmrig
behavioral2/memory/3232-142-0x00007FF7CBC30000-0x00007FF7CBF84000-memory.dmp	xmrig
behavioral2/memory/3496-143-0x00007FF709690000-0x00007FF7099E4000-memory.dmp	xmrig
behavioral2/memory/2060-144-0x00007FF64EBA0000-0x00007FF64EEF4000-memory.dmp	xmrig
behavioral2/memory/3952-145-0x00007FF693840000-0x00007FF693B94000-memory.dmp	xmrig
behavioral2/memory/3248-146-0x00007FF773C00000-0x00007FF773F54000-memory.dmp	xmrig
behavioral2/memory/3976-147-0x00007FF795FA0000-0x00007FF7962F4000-memory.dmp	xmrig
behavioral2/memory/3516-148-0x00007FF686060000-0x00007FF6863B4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4644	ltzLXZt.exe
2868	GSPSZOY.exe
3232	oMIRVoD.exe
3496	pdGkeye.exe
2060	RTWlYKE.exe
3952	zJTpavT.exe
3248	RVHLMah.exe
3516	IzZEXCl.exe
3976	kgFqsmc.exe
1616	NDYCUXB.exe
5032	UHhuKwk.exe
2816	kReawjp.exe
2952	jvvvFfm.exe
4612	nBuUMNB.exe
3340	dYYPNgB.exe
1128	lgnQSYH.exe
2096	PEOmSpr.exe
220	moZqjRs.exe
2308	rwBdOgu.exe
2756	dQnpCMf.exe
4916	jIfFKAm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1396-0-0x00007FF794D10000-0x00007FF795064000-memory.dmp	upx
behavioral2/files/0x0008000000023492-5.dat	upx
behavioral2/memory/4644-6-0x00007FF75EFA0000-0x00007FF75F2F4000-memory.dmp	upx
behavioral2/files/0x0007000000023493-11.dat	upx
behavioral2/files/0x0007000000023494-10.dat	upx
behavioral2/memory/3232-18-0x00007FF7CBC30000-0x00007FF7CBF84000-memory.dmp	upx
behavioral2/memory/2868-17-0x00007FF7B6D00000-0x00007FF7B7054000-memory.dmp	upx
behavioral2/files/0x0007000000023495-22.dat	upx
behavioral2/files/0x0008000000023490-30.dat	upx
behavioral2/memory/2060-31-0x00007FF64EBA0000-0x00007FF64EEF4000-memory.dmp	upx
behavioral2/files/0x0007000000023496-35.dat	upx
behavioral2/files/0x0007000000023497-42.dat	upx
behavioral2/files/0x0007000000023499-49.dat	upx
behavioral2/files/0x000700000002349a-58.dat	upx
behavioral2/memory/3976-59-0x00007FF795FA0000-0x00007FF7962F4000-memory.dmp	upx
behavioral2/memory/1616-62-0x00007FF61FD90000-0x00007FF6200E4000-memory.dmp	upx
behavioral2/memory/1396-74-0x00007FF794D10000-0x00007FF795064000-memory.dmp	upx
behavioral2/files/0x000700000002349d-80.dat	upx
behavioral2/memory/4612-85-0x00007FF65DE60000-0x00007FF65E1B4000-memory.dmp	upx
behavioral2/files/0x000700000002349e-83.dat	upx
behavioral2/memory/2952-82-0x00007FF7920F0000-0x00007FF792444000-memory.dmp	upx
behavioral2/memory/4644-81-0x00007FF75EFA0000-0x00007FF75F2F4000-memory.dmp	upx
behavioral2/memory/2816-79-0x00007FF7F5860000-0x00007FF7F5BB4000-memory.dmp	upx
behavioral2/memory/5032-78-0x00007FF631550000-0x00007FF6318A4000-memory.dmp	upx
behavioral2/files/0x000700000002349c-75.dat	upx
behavioral2/files/0x000700000002349b-70.dat	upx
behavioral2/memory/3516-57-0x00007FF686060000-0x00007FF6863B4000-memory.dmp	upx
behavioral2/files/0x0007000000023498-51.dat	upx
behavioral2/memory/3248-46-0x00007FF773C00000-0x00007FF773F54000-memory.dmp	upx
behavioral2/memory/3952-39-0x00007FF693840000-0x00007FF693B94000-memory.dmp	upx
behavioral2/memory/3496-26-0x00007FF709690000-0x00007FF7099E4000-memory.dmp	upx
behavioral2/files/0x000700000002349f-92.dat	upx
behavioral2/files/0x0004000000022a49-99.dat	upx
behavioral2/memory/3496-101-0x00007FF709690000-0x00007FF7099E4000-memory.dmp	upx
behavioral2/memory/1128-102-0x00007FF624DA0000-0x00007FF6250F4000-memory.dmp	upx
behavioral2/memory/2060-108-0x00007FF64EBA0000-0x00007FF64EEF4000-memory.dmp	upx
behavioral2/files/0x000b000000023406-111.dat	upx
behavioral2/files/0x000e000000023407-116.dat	upx
behavioral2/files/0x00070000000234a1-121.dat	upx
behavioral2/memory/3516-125-0x00007FF686060000-0x00007FF6863B4000-memory.dmp	upx
behavioral2/files/0x00070000000234a2-131.dat	upx
behavioral2/memory/2756-128-0x00007FF6E2C70000-0x00007FF6E2FC4000-memory.dmp	upx
behavioral2/memory/2308-120-0x00007FF6AD4A0000-0x00007FF6AD7F4000-memory.dmp	upx
behavioral2/files/0x0014000000023401-118.dat	upx
behavioral2/memory/220-113-0x00007FF6A6510000-0x00007FF6A6864000-memory.dmp	upx
behavioral2/memory/2096-110-0x00007FF7C14E0000-0x00007FF7C1834000-memory.dmp	upx
behavioral2/memory/3340-95-0x00007FF706690000-0x00007FF7069E4000-memory.dmp	upx
behavioral2/memory/3232-94-0x00007FF7CBC30000-0x00007FF7CBF84000-memory.dmp	upx
behavioral2/memory/1616-133-0x00007FF61FD90000-0x00007FF6200E4000-memory.dmp	upx
behavioral2/memory/4916-134-0x00007FF7726F0000-0x00007FF772A44000-memory.dmp	upx
behavioral2/memory/2952-135-0x00007FF7920F0000-0x00007FF792444000-memory.dmp	upx
behavioral2/memory/4612-136-0x00007FF65DE60000-0x00007FF65E1B4000-memory.dmp	upx
behavioral2/memory/2096-137-0x00007FF7C14E0000-0x00007FF7C1834000-memory.dmp	upx
behavioral2/memory/2308-138-0x00007FF6AD4A0000-0x00007FF6AD7F4000-memory.dmp	upx
behavioral2/memory/2756-139-0x00007FF6E2C70000-0x00007FF6E2FC4000-memory.dmp	upx
behavioral2/memory/4644-140-0x00007FF75EFA0000-0x00007FF75F2F4000-memory.dmp	upx
behavioral2/memory/2868-141-0x00007FF7B6D00000-0x00007FF7B7054000-memory.dmp	upx
behavioral2/memory/3232-142-0x00007FF7CBC30000-0x00007FF7CBF84000-memory.dmp	upx
behavioral2/memory/3496-143-0x00007FF709690000-0x00007FF7099E4000-memory.dmp	upx
behavioral2/memory/2060-144-0x00007FF64EBA0000-0x00007FF64EEF4000-memory.dmp	upx
behavioral2/memory/3952-145-0x00007FF693840000-0x00007FF693B94000-memory.dmp	upx
behavioral2/memory/3248-146-0x00007FF773C00000-0x00007FF773F54000-memory.dmp	upx
behavioral2/memory/3976-147-0x00007FF795FA0000-0x00007FF7962F4000-memory.dmp	upx
behavioral2/memory/3516-148-0x00007FF686060000-0x00007FF6863B4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\pdGkeye.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lgnQSYH.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rwBdOgu.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ltzLXZt.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RTWlYKE.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IzZEXCl.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kReawjp.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nBuUMNB.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dYYPNgB.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PEOmSpr.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jIfFKAm.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GSPSZOY.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oMIRVoD.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UHhuKwk.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jvvvFfm.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dQnpCMf.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zJTpavT.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RVHLMah.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kgFqsmc.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NDYCUXB.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\moZqjRs.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 4644	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	82
PID 1396 wrote to memory of 4644	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	82
PID 1396 wrote to memory of 2868	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	84
PID 1396 wrote to memory of 2868	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	84
PID 1396 wrote to memory of 3232	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	85
PID 1396 wrote to memory of 3232	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	85
PID 1396 wrote to memory of 3496	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	87
PID 1396 wrote to memory of 3496	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	87
PID 1396 wrote to memory of 2060	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	88
PID 1396 wrote to memory of 2060	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	88
PID 1396 wrote to memory of 3952	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	89
PID 1396 wrote to memory of 3952	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	89
PID 1396 wrote to memory of 3248	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	90
PID 1396 wrote to memory of 3248	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	90
PID 1396 wrote to memory of 3516	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	91
PID 1396 wrote to memory of 3516	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	91
PID 1396 wrote to memory of 3976	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	92
PID 1396 wrote to memory of 3976	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	92
PID 1396 wrote to memory of 1616	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	93
PID 1396 wrote to memory of 1616	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	93
PID 1396 wrote to memory of 5032	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	94
PID 1396 wrote to memory of 5032	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	94
PID 1396 wrote to memory of 2816	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	95
PID 1396 wrote to memory of 2816	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	95
PID 1396 wrote to memory of 4612	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	96
PID 1396 wrote to memory of 4612	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	96
PID 1396 wrote to memory of 2952	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	97
PID 1396 wrote to memory of 2952	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	97
PID 1396 wrote to memory of 3340	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	99
PID 1396 wrote to memory of 3340	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	99
PID 1396 wrote to memory of 1128	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	100
PID 1396 wrote to memory of 1128	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	100
PID 1396 wrote to memory of 2096	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	101
PID 1396 wrote to memory of 2096	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	101
PID 1396 wrote to memory of 220	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	102
PID 1396 wrote to memory of 220	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	102
PID 1396 wrote to memory of 2308	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	103
PID 1396 wrote to memory of 2308	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	103
PID 1396 wrote to memory of 2756	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	104
PID 1396 wrote to memory of 2756	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	104
PID 1396 wrote to memory of 4916	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	105
PID 1396 wrote to memory of 4916	1396	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\System\ltzLXZt.exe
  C:\Windows\System\ltzLXZt.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System\GSPSZOY.exe
  C:\Windows\System\GSPSZOY.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\oMIRVoD.exe
  C:\Windows\System\oMIRVoD.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\pdGkeye.exe
  C:\Windows\System\pdGkeye.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\RTWlYKE.exe
  C:\Windows\System\RTWlYKE.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\zJTpavT.exe
  C:\Windows\System\zJTpavT.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\RVHLMah.exe
  C:\Windows\System\RVHLMah.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System\IzZEXCl.exe
  C:\Windows\System\IzZEXCl.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\kgFqsmc.exe
  C:\Windows\System\kgFqsmc.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\NDYCUXB.exe
  C:\Windows\System\NDYCUXB.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\UHhuKwk.exe
  C:\Windows\System\UHhuKwk.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\kReawjp.exe
  C:\Windows\System\kReawjp.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\nBuUMNB.exe
  C:\Windows\System\nBuUMNB.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\jvvvFfm.exe
  C:\Windows\System\jvvvFfm.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\dYYPNgB.exe
  C:\Windows\System\dYYPNgB.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System\lgnQSYH.exe
  C:\Windows\System\lgnQSYH.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System\PEOmSpr.exe
  C:\Windows\System\PEOmSpr.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\moZqjRs.exe
  C:\Windows\System\moZqjRs.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\rwBdOgu.exe
  C:\Windows\System\rwBdOgu.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\dQnpCMf.exe
  C:\Windows\System\dQnpCMf.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\jIfFKAm.exe
  C:\Windows\System\jIfFKAm.exe
  2⤵
  - Executes dropped EXE
  PID:4916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\GSPSZOY.exe

Filesize
5.9MB

MD5
ea9cf36e807a07e007e3435dabc98375

SHA1
cdd08b658eb406ec85be805210fa707c40d89985

SHA256
818b79bb51d4fd3ea10e092c6086c947505e279bcd9dcdd03e31580f63f61c54

SHA512
68fb9a988459e455093e36e21094a665e50e040bb3c4928c81b7e1bdb7a8377282f0762ca3a4e8ab7f6a8d5f30206e53a0ded158df38fde743d05219fc7f7c58

Download Submit
C:\Windows\System\IzZEXCl.exe

Filesize
5.9MB

MD5
fab45e3d0eed0660d5bd0999fe393078

SHA1
5525538e982a078ae4b198477325f5c4f97f4cbf

SHA256
7f9ceb0110401cdbd1ad72ae57ffd46acf66f9ce79840869ff0d1a4bce7897a5

SHA512
b976492f39f66330bf6efe7931d6ff786d295a23b7125a81206c5c99d4ec5f7bc1d86a827feb2252263adb1e870acbadf472cb68402f021f5eb4928184dba143

Download Submit
C:\Windows\System\NDYCUXB.exe

Filesize
5.9MB

MD5
12b088659ecf8d402198fecf460c8215

SHA1
fdbaa5f78243c3e883ed6ccc8e54c431d1a46ca3

SHA256
29279bd3dd5d3b804f5bf3360898a84e8c56421c6bbf329e672ddcdeaad13ce0

SHA512
bb15769e061be1df938961f683f26aec8f92ffaf6f4092d8cba414778b81508aa303b2432bff074ea307ecfef0fa99119d2ba9e9ded0cd52e38bfb834aeb9f71

Download Submit
C:\Windows\System\PEOmSpr.exe

Filesize
5.9MB

MD5
f6882063a0df77107c26c7ad5b690e0f

SHA1
ae2f1017e4d858378e745b01dc3991937f3867cf

SHA256
7550f8c96ceb4cb1d155fa4571827985091a5ad6d5fd8339c96042434ba311b1

SHA512
6a5afbb58d0b2216c1b14bc8b89ea4ba1b60f611acf09983745bda7be12d91ae9caeaad13f87da832e62ec1546b17a69a52f901136c350d2419707b907d1261d

Download Submit
C:\Windows\System\RTWlYKE.exe

Filesize
5.9MB

MD5
10693292d64d6a785faf4e9b0749daa3

SHA1
5184ef1de71e9d0f0b48745619b894da2103f9a4

SHA256
fbe928999d9b3ba165e735d5dde3ed40391176efa493ec358e608889f4141a6b

SHA512
a250b949de79a44b887a22b85be3a550c8f0f711e0e5be818ed0998e93e34897f4807a1ccc77cdb7e1556caea7bfd6ac385d7ad71c94e346dfc3af71db7ca951

Download Submit
C:\Windows\System\RVHLMah.exe

Filesize
5.9MB

MD5
6ad4a117771c3685e0de35df0f82df15

SHA1
5e80ba088a8c9a6c57f5414e74d75bbc864b4c06

SHA256
e5b487ba6fa770fa42ad7ce28d5e3d5f85a833d39c7b56204b93f1c66b7c991e

SHA512
560cc3c79f5c48e813bcadde650e73879ec4df1afe17c3884f6a2eeceac89912a01f803198f450b3fbd4f4661f5f7ae0230ed1206691c1458f13ffcc06980670

Download Submit
C:\Windows\System\UHhuKwk.exe

Filesize
5.9MB

MD5
955510f33493765fa5156652dde2d165

SHA1
1c84e166c79fdfdd49cb933ae7a1ed8d11744392

SHA256
2bc91cf43fd9c3b950063f052810927f97930100d95af675a4bc7abc4e290ca0

SHA512
543c13bef12cb121fc2695173417e7e1a8a74eaef717f13610ef11b758598a78fa129972989b95695d0a4795282133b4f849571bf8dde766333acb90fe4b6d6c

Download Submit
C:\Windows\System\dQnpCMf.exe

Filesize
5.9MB

MD5
da4cfd67672cab47c4d02072ea02570b

SHA1
f9ebe0afcf56e97efe560ff4e32f4c6dff15187b

SHA256
18cafb7e8c9ad44badf6f098517a2ff2f913a1483a2cf0a683e249e63bdba213

SHA512
a437e2a13c3d3558e05497e44582a0186dcde1c11b22e02c83686546d6b50302f69927f5841559fb062335b7bc0fa58daeae3c39e1a271253efe900e73c0ea8d

Download Submit
C:\Windows\System\dYYPNgB.exe

Filesize
5.9MB

MD5
5c7d52260125b33b76b15e6ae2143b59

SHA1
aaede6d2b9d0c75295cc6e3ad7f521ee0f38747a

SHA256
e6c45dd921c7cb81f0bf08b7c002f47ca78098fa9522cf67909ecc55c610549c

SHA512
5c84552b6624a7e1d6912996f1aaa58b843808183c9e11f3b1c75cb765e867f93b983bcaed6729187a51a21e9e6341d9ecbd9683981b342c49a9761068ed7694

Download Submit
C:\Windows\System\jIfFKAm.exe

Filesize
5.9MB

MD5
29291b245cc7d8703c241a192d5e150d

SHA1
bb15c965df16e7131b758ae850ce2832aee9ee47

SHA256
d1afc3f366630ed7e3d74ff3a909889a428467cefb7724efd69ca0d4ffba8744

SHA512
e85564c54b33d595193036473b7f50d5a003b4b3286ff7d04ab49eb4d950b93e46cb7933d10d98dd34ba098921e0c4afd47fe7acde5aec551c1b88fb34c595e9

Download Submit
C:\Windows\System\jvvvFfm.exe

Filesize
5.9MB

MD5
0d3a33ab308cfad4e4441ea2dc8525f9

SHA1
15b83c58185ab2f23bd4acfb6fd3464b69c65e64

SHA256
369f1f338dea04c3748864a4d61e58fc94e6535094eec9c16b8a15511434bf77

SHA512
ff2b664a59893d28197e8bf235a3dd356dae73e8844cadfb285d8aa562a0c8a086a2f2992a7f0aae9c31452ca28e2ba9ef18367c2040f79a6ccf6f72f978545a

Download Submit
C:\Windows\System\kReawjp.exe

Filesize
5.9MB

MD5
560933f19181dcbac9dd57d332cd48f0

SHA1
4dc4d59e8fe1fe966af49b7d78d9478b5d6c9b4b

SHA256
5340aa39aa31f48419615166c9bdd0c1e400f15be400eab20b0b3de8e4916544

SHA512
5dc1cbf015b6054956ce06351b1edabaa382153c4cfe3bc02abda2d35ac4b3569339877c41de51a862662a33aa680624c08eebec8e8a031d697fb5a17899332a

Download Submit
C:\Windows\System\kgFqsmc.exe

Filesize
5.9MB

MD5
9e29663a0444f42081aeca068fcc5bb6

SHA1
20f2d47a2d22630bb02a9679d2a17a79712a17c7

SHA256
321bf2b78ee19bf220badb30831df66c15c5d770bfdc1f3c04e1dc3a6e164990

SHA512
5661942fd323c9e8b466bcecaabeea50b4a4ea20dd21180d531a89088fdb7aa1211438338dcf69685705a8255bfbdaf174954b2fe23d84433e7ed265f16d164c

Download Submit
C:\Windows\System\lgnQSYH.exe

Filesize
5.9MB

MD5
698e8da0e3f7ec4900ff7b0a26915629

SHA1
350294ba61f6100c870be761e1af1b4d9b3632c8

SHA256
7e0540c3704fecdfa167f3b0465b39e2c6d445a4a03c6ee9e891d37a52aa737b

SHA512
4bcce0f9fe0ed8f594b8ffa11991832110bca32991a54a849a4018dd63857b3c6029b42d7b8b4b5861ceac0749f90737d940e182b89f131e00b7bb5fd337859f

Download Submit
C:\Windows\System\ltzLXZt.exe

Filesize
5.9MB

MD5
171c8bc5e2a177dbe45efc07b2e70e5b

SHA1
9cfd1a19f6b00995befdc5c0c9423e1d536c5602

SHA256
08aaca0b24f6697e03f48eb30a62afb278b5664a609d4375bce4669c9bc84331

SHA512
4395d454eb99bac095956020c9bb8d64d74a2b87bc1c7bc4b2b753a6ecdcc792ff464094b185f97e42af5c405f3752fad53599494a6d79d0ae6a4bedd6432fd2

Download Submit
C:\Windows\System\moZqjRs.exe

Filesize
5.9MB

MD5
5a7d19dc052ec9603babf5ba679ad1d9

SHA1
94b35d366330ec3837502c5018f86618d50f15ad

SHA256
1d17af3a1af98657e94f797bf9eb664f6140103ff93f1bd98e61ba91d15ef516

SHA512
9d272f7e262867686fde58e105e37a80194fa7c0ccc450e3e31363ee1b0e0e7446f1245d885cbedc41cf5f6801d2d134f339f9781c16de76c3792629f68e56ec

Download Submit
C:\Windows\System\nBuUMNB.exe

Filesize
5.9MB

MD5
1d1d248272faa8e9a4ff7677c8dbaee9

SHA1
5be160a57dd3b1351f803a435fdadef205915a4b

SHA256
7e2ba603218dac44e49b07878cc34bf4d0b3201b3fc8370a7787f74c2cbffe31

SHA512
80d64bd5402e21c95e500c6058bc6dd9f1051e67869dd82c800a3c5cb49a5f5012498ac415d2a023780d5e3901f6670d5cd36c0a1dc624d74d9ef273b578fdd4

Download Submit
C:\Windows\System\oMIRVoD.exe

Filesize
5.9MB

MD5
a0e71066bc77e1492754f637aa425c65

SHA1
7568eb9ed9d9966c3849b70d0e8ef9ce138713d2

SHA256
548995c14f21df75a324ec730dd1e3a60f6c8ac901d0a11d1f9a8e2a41a1424d

SHA512
4c76178bafb70bd6d18cd3daa466d03497ecd26c28467e29e7adfb7238d132169f6f007059a6fc9ec7b9027c28841edd7b5dc441e78e150d3887739cca318c4a

Download Submit
C:\Windows\System\pdGkeye.exe

Filesize
5.9MB

MD5
f44e58e8fa1c7897f17f4e6756974157

SHA1
67ab92691aba32daf0e9b6f9ba394f11169544eb

SHA256
c648e93ae8118ff518fc9a1c9a26d22204610bbc782ddd88efb289220289a68c

SHA512
c9ab777534ac526da7a45ba2d9ab02e98fdc1514676091196de169876570baa256524e81f6953c433854ab9e21a230ab1d1be9636412f4bbe2792633653540ba

Download Submit
C:\Windows\System\rwBdOgu.exe

Filesize
5.9MB

MD5
19f88f82b849bf8ebe4b7ede43fb6a12

SHA1
236a7755999fc14322504cd3a631ac8e2beeec08

SHA256
1f02767afdb69db992e4105d3ab933c6e27c6010cb7ad5f5ef77678a8cf88ed8

SHA512
277ca90fb065306e379224112232a557c766480c9d05981efc88444bc3a7302de830beca18d0ffc0d460c60682aefe77b7a3ccd299295d7f26f5cc1026ddd2d0

Download Submit
C:\Windows\System\zJTpavT.exe

Filesize
5.9MB

MD5
022405cb4752549a0e731c016b49fdd3

SHA1
0e348cc7b8f573b8b09dbb41368ff5b7221270ac

SHA256
75caeed79f9b63d45daa8e760d1a850444d63351b6e61927f88687b35a1f5dd5

SHA512
0a753e2f28a391ecc329fc6c6cbbfb571599e1b301cf8cee3878f9bbef304ecc7da6637aad393a5c2eedf77d95cea5764bc88ad9b027bb78e44ea70c91d2876a

Download Submit
memory/220-156-0x00007FF6A6510000-0x00007FF6A6864000-memory.dmp

Filesize
3.3MB

Download
memory/220-113-0x00007FF6A6510000-0x00007FF6A6864000-memory.dmp

Filesize
3.3MB

Download
memory/1128-155-0x00007FF624DA0000-0x00007FF6250F4000-memory.dmp

Filesize
3.3MB

Download
memory/1128-102-0x00007FF624DA0000-0x00007FF6250F4000-memory.dmp

Filesize
3.3MB

Download
memory/1396-1-0x0000021F8EA00000-0x0000021F8EA10000-memory.dmp

Filesize
64KB

Download
memory/1396-74-0x00007FF794D10000-0x00007FF795064000-memory.dmp

Filesize
3.3MB

Download
memory/1396-0-0x00007FF794D10000-0x00007FF795064000-memory.dmp

Filesize
3.3MB

Download
memory/1616-62-0x00007FF61FD90000-0x00007FF6200E4000-memory.dmp

Filesize
3.3MB

Download
memory/1616-150-0x00007FF61FD90000-0x00007FF6200E4000-memory.dmp

Filesize
3.3MB

Download
memory/1616-133-0x00007FF61FD90000-0x00007FF6200E4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-31-0x00007FF64EBA0000-0x00007FF64EEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-144-0x00007FF64EBA0000-0x00007FF64EEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-108-0x00007FF64EBA0000-0x00007FF64EEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2096-137-0x00007FF7C14E0000-0x00007FF7C1834000-memory.dmp

Filesize
3.3MB

Download
memory/2096-157-0x00007FF7C14E0000-0x00007FF7C1834000-memory.dmp

Filesize
3.3MB

Download
memory/2096-110-0x00007FF7C14E0000-0x00007FF7C1834000-memory.dmp

Filesize
3.3MB

Download
memory/2308-138-0x00007FF6AD4A0000-0x00007FF6AD7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2308-120-0x00007FF6AD4A0000-0x00007FF6AD7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2308-158-0x00007FF6AD4A0000-0x00007FF6AD7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2756-139-0x00007FF6E2C70000-0x00007FF6E2FC4000-memory.dmp

Filesize
3.3MB

Download
memory/2756-128-0x00007FF6E2C70000-0x00007FF6E2FC4000-memory.dmp

Filesize
3.3MB

Download
memory/2756-160-0x00007FF6E2C70000-0x00007FF6E2FC4000-memory.dmp

Filesize
3.3MB

Download
memory/2816-152-0x00007FF7F5860000-0x00007FF7F5BB4000-memory.dmp

Filesize
3.3MB

Download
memory/2816-79-0x00007FF7F5860000-0x00007FF7F5BB4000-memory.dmp

Filesize
3.3MB

Download
memory/2868-141-0x00007FF7B6D00000-0x00007FF7B7054000-memory.dmp

Filesize
3.3MB

Download
memory/2868-17-0x00007FF7B6D00000-0x00007FF7B7054000-memory.dmp

Filesize
3.3MB

Download
memory/2952-135-0x00007FF7920F0000-0x00007FF792444000-memory.dmp

Filesize
3.3MB

Download
memory/2952-153-0x00007FF7920F0000-0x00007FF792444000-memory.dmp

Filesize
3.3MB

Download
memory/2952-82-0x00007FF7920F0000-0x00007FF792444000-memory.dmp

Filesize
3.3MB

Download
memory/3232-94-0x00007FF7CBC30000-0x00007FF7CBF84000-memory.dmp

Filesize
3.3MB

Download
memory/3232-142-0x00007FF7CBC30000-0x00007FF7CBF84000-memory.dmp

Filesize
3.3MB

Download
memory/3232-18-0x00007FF7CBC30000-0x00007FF7CBF84000-memory.dmp

Filesize
3.3MB

Download
memory/3248-46-0x00007FF773C00000-0x00007FF773F54000-memory.dmp

Filesize
3.3MB

Download
memory/3248-146-0x00007FF773C00000-0x00007FF773F54000-memory.dmp

Filesize
3.3MB

Download
memory/3340-154-0x00007FF706690000-0x00007FF7069E4000-memory.dmp

Filesize
3.3MB

Download
memory/3340-95-0x00007FF706690000-0x00007FF7069E4000-memory.dmp

Filesize
3.3MB

Download
memory/3496-26-0x00007FF709690000-0x00007FF7099E4000-memory.dmp

Filesize
3.3MB

Download
memory/3496-143-0x00007FF709690000-0x00007FF7099E4000-memory.dmp

Filesize
3.3MB

Download
memory/3496-101-0x00007FF709690000-0x00007FF7099E4000-memory.dmp

Filesize
3.3MB

Download
memory/3516-125-0x00007FF686060000-0x00007FF6863B4000-memory.dmp

Filesize
3.3MB

Download
memory/3516-57-0x00007FF686060000-0x00007FF6863B4000-memory.dmp

Filesize
3.3MB

Download
memory/3516-148-0x00007FF686060000-0x00007FF6863B4000-memory.dmp

Filesize
3.3MB

Download
memory/3952-145-0x00007FF693840000-0x00007FF693B94000-memory.dmp

Filesize
3.3MB

Download
memory/3952-39-0x00007FF693840000-0x00007FF693B94000-memory.dmp

Filesize
3.3MB

Download
memory/3976-147-0x00007FF795FA0000-0x00007FF7962F4000-memory.dmp

Filesize
3.3MB

Download
memory/3976-59-0x00007FF795FA0000-0x00007FF7962F4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-151-0x00007FF65DE60000-0x00007FF65E1B4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-136-0x00007FF65DE60000-0x00007FF65E1B4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-85-0x00007FF65DE60000-0x00007FF65E1B4000-memory.dmp

Filesize
3.3MB

Download
memory/4644-140-0x00007FF75EFA0000-0x00007FF75F2F4000-memory.dmp

Filesize
3.3MB

Download
memory/4644-6-0x00007FF75EFA0000-0x00007FF75F2F4000-memory.dmp

Filesize
3.3MB

Download
memory/4644-81-0x00007FF75EFA0000-0x00007FF75F2F4000-memory.dmp

Filesize
3.3MB

Download
memory/4916-134-0x00007FF7726F0000-0x00007FF772A44000-memory.dmp

Filesize
3.3MB

Download
memory/4916-159-0x00007FF7726F0000-0x00007FF772A44000-memory.dmp

Filesize
3.3MB

Download
memory/5032-149-0x00007FF631550000-0x00007FF6318A4000-memory.dmp

Filesize
3.3MB

Download
memory/5032-78-0x00007FF631550000-0x00007FF6318A4000-memory.dmp

Filesize
3.3MB

Download