cobaltstrike | 149b3353f6c4f1a2f720c11b5c4271c953b717c881f9d14bc14a417a87797c0b

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

56c7b322072d0b5c7ea4ba71527a0a86
SHA1

620f80faa98923f75e7f87b8f033981125d16dea
SHA256

149b3353f6c4f1a2f720c11b5c4271c953b717c881f9d14bc14a417a87797c0b
SHA512

3c306c39acfef282181f340685153161bbf97314a471a8c9b137d8be26fb5f57594b96c8a7900224946beea7ae193ae6013dd840cc658a12128e07e6add7b1dd
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUq:Q+856utgpPF8u/7q

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002340f-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023413-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023414-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023416-29.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023410-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023415-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-57.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341b-65.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341a-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-51.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341c-71.dat	cobalt_reflective_dll
behavioral2/files/0x000400000002296c-76.dat	cobalt_reflective_dll
behavioral2/files/0x0003000000022974-82.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023386-90.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341e-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023420-107.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341f-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023421-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023422-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023423-125.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x000800000002340f-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023413-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023414-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023416-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023410-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023415-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023417-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023419-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341b-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341a-61.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023418-51.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341c-71.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000400000002296c-76.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0003000000022974-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000a000000023386-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341e-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023420-107.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341f-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023421-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023422-118.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023423-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3260-0-0x00007FF6098F0000-0x00007FF609C44000-memory.dmp	UPX
behavioral2/files/0x000800000002340f-5.dat	UPX
behavioral2/memory/224-8-0x00007FF626550000-0x00007FF6268A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023413-11.dat	UPX
behavioral2/files/0x0007000000023414-10.dat	UPX
behavioral2/memory/3088-25-0x00007FF7D0820000-0x00007FF7D0B74000-memory.dmp	UPX
behavioral2/memory/4672-32-0x00007FF7D2160000-0x00007FF7D24B4000-memory.dmp	UPX
behavioral2/memory/4868-31-0x00007FF683100000-0x00007FF683454000-memory.dmp	UPX
behavioral2/files/0x0007000000023416-29.dat	UPX
behavioral2/files/0x0008000000023410-30.dat	UPX
behavioral2/files/0x0007000000023415-22.dat	UPX
behavioral2/memory/1384-38-0x00007FF744A00000-0x00007FF744D54000-memory.dmp	UPX
behavioral2/files/0x0007000000023417-36.dat	UPX
behavioral2/files/0x0007000000023419-57.dat	UPX
behavioral2/files/0x000700000002341b-65.dat	UPX
behavioral2/memory/1692-68-0x00007FF6DD4D0000-0x00007FF6DD824000-memory.dmp	UPX
behavioral2/memory/1292-67-0x00007FF676A10000-0x00007FF676D64000-memory.dmp	UPX
behavioral2/files/0x000700000002341a-61.dat	UPX
behavioral2/memory/2168-60-0x00007FF68FE60000-0x00007FF6901B4000-memory.dmp	UPX
behavioral2/memory/364-59-0x00007FF605300000-0x00007FF605654000-memory.dmp	UPX
behavioral2/memory/2912-56-0x00007FF7605A0000-0x00007FF7608F4000-memory.dmp	UPX
behavioral2/files/0x0007000000023418-51.dat	UPX
behavioral2/memory/1160-43-0x00007FF657FF0000-0x00007FF658344000-memory.dmp	UPX
behavioral2/files/0x000700000002341c-71.dat	UPX
behavioral2/memory/1636-72-0x00007FF73CE30000-0x00007FF73D184000-memory.dmp	UPX
behavioral2/files/0x000400000002296c-76.dat	UPX
behavioral2/files/0x0003000000022974-82.dat	UPX
behavioral2/memory/4732-86-0x00007FF6D1B10000-0x00007FF6D1E64000-memory.dmp	UPX
behavioral2/memory/4840-78-0x00007FF794550000-0x00007FF7948A4000-memory.dmp	UPX
behavioral2/files/0x000a000000023386-90.dat	UPX
behavioral2/memory/1340-93-0x00007FF663820000-0x00007FF663B74000-memory.dmp	UPX
behavioral2/files/0x000700000002341e-92.dat	UPX
behavioral2/memory/1724-96-0x00007FF6E2F90000-0x00007FF6E32E4000-memory.dmp	UPX
behavioral2/files/0x0007000000023420-107.dat	UPX
behavioral2/files/0x000700000002341f-105.dat	UPX
behavioral2/files/0x0007000000023421-112.dat	UPX
behavioral2/files/0x0007000000023422-118.dat	UPX
behavioral2/memory/4072-121-0x00007FF66D8E0000-0x00007FF66DC34000-memory.dmp	UPX
behavioral2/files/0x0007000000023423-125.dat	UPX
behavioral2/memory/1160-129-0x00007FF657FF0000-0x00007FF658344000-memory.dmp	UPX
behavioral2/memory/2964-130-0x00007FF62EB40000-0x00007FF62EE94000-memory.dmp	UPX
behavioral2/memory/4672-128-0x00007FF7D2160000-0x00007FF7D24B4000-memory.dmp	UPX
behavioral2/memory/2172-127-0x00007FF601990000-0x00007FF601CE4000-memory.dmp	UPX
behavioral2/memory/2952-124-0x00007FF70A9C0000-0x00007FF70AD14000-memory.dmp	UPX
behavioral2/memory/4144-120-0x00007FF618F80000-0x00007FF6192D4000-memory.dmp	UPX
behavioral2/memory/3260-94-0x00007FF6098F0000-0x00007FF609C44000-memory.dmp	UPX
behavioral2/memory/2912-131-0x00007FF7605A0000-0x00007FF7608F4000-memory.dmp	UPX
behavioral2/memory/2168-132-0x00007FF68FE60000-0x00007FF6901B4000-memory.dmp	UPX
behavioral2/memory/1636-133-0x00007FF73CE30000-0x00007FF73D184000-memory.dmp	UPX
behavioral2/memory/4840-134-0x00007FF794550000-0x00007FF7948A4000-memory.dmp	UPX
behavioral2/memory/1340-135-0x00007FF663820000-0x00007FF663B74000-memory.dmp	UPX
behavioral2/memory/1724-136-0x00007FF6E2F90000-0x00007FF6E32E4000-memory.dmp	UPX
behavioral2/memory/224-137-0x00007FF626550000-0x00007FF6268A4000-memory.dmp	UPX
behavioral2/memory/3088-138-0x00007FF7D0820000-0x00007FF7D0B74000-memory.dmp	UPX
behavioral2/memory/1384-139-0x00007FF744A00000-0x00007FF744D54000-memory.dmp	UPX
behavioral2/memory/4868-140-0x00007FF683100000-0x00007FF683454000-memory.dmp	UPX
behavioral2/memory/4672-141-0x00007FF7D2160000-0x00007FF7D24B4000-memory.dmp	UPX
behavioral2/memory/1160-142-0x00007FF657FF0000-0x00007FF658344000-memory.dmp	UPX
behavioral2/memory/364-143-0x00007FF605300000-0x00007FF605654000-memory.dmp	UPX
behavioral2/memory/2912-144-0x00007FF7605A0000-0x00007FF7608F4000-memory.dmp	UPX
behavioral2/memory/1292-147-0x00007FF676A10000-0x00007FF676D64000-memory.dmp	UPX
behavioral2/memory/1692-146-0x00007FF6DD4D0000-0x00007FF6DD824000-memory.dmp	UPX
behavioral2/memory/2168-145-0x00007FF68FE60000-0x00007FF6901B4000-memory.dmp	UPX
behavioral2/memory/1636-148-0x00007FF73CE30000-0x00007FF73D184000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3260-0-0x00007FF6098F0000-0x00007FF609C44000-memory.dmp	xmrig
behavioral2/files/0x000800000002340f-5.dat	xmrig
behavioral2/memory/224-8-0x00007FF626550000-0x00007FF6268A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023413-11.dat	xmrig
behavioral2/files/0x0007000000023414-10.dat	xmrig
behavioral2/memory/3088-25-0x00007FF7D0820000-0x00007FF7D0B74000-memory.dmp	xmrig
behavioral2/memory/4672-32-0x00007FF7D2160000-0x00007FF7D24B4000-memory.dmp	xmrig
behavioral2/memory/4868-31-0x00007FF683100000-0x00007FF683454000-memory.dmp	xmrig
behavioral2/files/0x0007000000023416-29.dat	xmrig
behavioral2/files/0x0008000000023410-30.dat	xmrig
behavioral2/files/0x0007000000023415-22.dat	xmrig
behavioral2/memory/1384-38-0x00007FF744A00000-0x00007FF744D54000-memory.dmp	xmrig
behavioral2/files/0x0007000000023417-36.dat	xmrig
behavioral2/files/0x0007000000023419-57.dat	xmrig
behavioral2/files/0x000700000002341b-65.dat	xmrig
behavioral2/memory/1692-68-0x00007FF6DD4D0000-0x00007FF6DD824000-memory.dmp	xmrig
behavioral2/memory/1292-67-0x00007FF676A10000-0x00007FF676D64000-memory.dmp	xmrig
behavioral2/files/0x000700000002341a-61.dat	xmrig
behavioral2/memory/2168-60-0x00007FF68FE60000-0x00007FF6901B4000-memory.dmp	xmrig
behavioral2/memory/364-59-0x00007FF605300000-0x00007FF605654000-memory.dmp	xmrig
behavioral2/memory/2912-56-0x00007FF7605A0000-0x00007FF7608F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023418-51.dat	xmrig
behavioral2/memory/1160-43-0x00007FF657FF0000-0x00007FF658344000-memory.dmp	xmrig
behavioral2/files/0x000700000002341c-71.dat	xmrig
behavioral2/memory/1636-72-0x00007FF73CE30000-0x00007FF73D184000-memory.dmp	xmrig
behavioral2/files/0x000400000002296c-76.dat	xmrig
behavioral2/files/0x0003000000022974-82.dat	xmrig
behavioral2/memory/4732-86-0x00007FF6D1B10000-0x00007FF6D1E64000-memory.dmp	xmrig
behavioral2/memory/4840-78-0x00007FF794550000-0x00007FF7948A4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023386-90.dat	xmrig
behavioral2/memory/1340-93-0x00007FF663820000-0x00007FF663B74000-memory.dmp	xmrig
behavioral2/files/0x000700000002341e-92.dat	xmrig
behavioral2/memory/1724-96-0x00007FF6E2F90000-0x00007FF6E32E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023420-107.dat	xmrig
behavioral2/files/0x000700000002341f-105.dat	xmrig
behavioral2/files/0x0007000000023421-112.dat	xmrig
behavioral2/files/0x0007000000023422-118.dat	xmrig
behavioral2/memory/4072-121-0x00007FF66D8E0000-0x00007FF66DC34000-memory.dmp	xmrig
behavioral2/files/0x0007000000023423-125.dat	xmrig
behavioral2/memory/1160-129-0x00007FF657FF0000-0x00007FF658344000-memory.dmp	xmrig
behavioral2/memory/2964-130-0x00007FF62EB40000-0x00007FF62EE94000-memory.dmp	xmrig
behavioral2/memory/4672-128-0x00007FF7D2160000-0x00007FF7D24B4000-memory.dmp	xmrig
behavioral2/memory/2172-127-0x00007FF601990000-0x00007FF601CE4000-memory.dmp	xmrig
behavioral2/memory/2952-124-0x00007FF70A9C0000-0x00007FF70AD14000-memory.dmp	xmrig
behavioral2/memory/4144-120-0x00007FF618F80000-0x00007FF6192D4000-memory.dmp	xmrig
behavioral2/memory/3260-94-0x00007FF6098F0000-0x00007FF609C44000-memory.dmp	xmrig
behavioral2/memory/2912-131-0x00007FF7605A0000-0x00007FF7608F4000-memory.dmp	xmrig
behavioral2/memory/2168-132-0x00007FF68FE60000-0x00007FF6901B4000-memory.dmp	xmrig
behavioral2/memory/1636-133-0x00007FF73CE30000-0x00007FF73D184000-memory.dmp	xmrig
behavioral2/memory/4840-134-0x00007FF794550000-0x00007FF7948A4000-memory.dmp	xmrig
behavioral2/memory/1340-135-0x00007FF663820000-0x00007FF663B74000-memory.dmp	xmrig
behavioral2/memory/1724-136-0x00007FF6E2F90000-0x00007FF6E32E4000-memory.dmp	xmrig
behavioral2/memory/224-137-0x00007FF626550000-0x00007FF6268A4000-memory.dmp	xmrig
behavioral2/memory/3088-138-0x00007FF7D0820000-0x00007FF7D0B74000-memory.dmp	xmrig
behavioral2/memory/1384-139-0x00007FF744A00000-0x00007FF744D54000-memory.dmp	xmrig
behavioral2/memory/4868-140-0x00007FF683100000-0x00007FF683454000-memory.dmp	xmrig
behavioral2/memory/4672-141-0x00007FF7D2160000-0x00007FF7D24B4000-memory.dmp	xmrig
behavioral2/memory/1160-142-0x00007FF657FF0000-0x00007FF658344000-memory.dmp	xmrig
behavioral2/memory/364-143-0x00007FF605300000-0x00007FF605654000-memory.dmp	xmrig
behavioral2/memory/2912-144-0x00007FF7605A0000-0x00007FF7608F4000-memory.dmp	xmrig
behavioral2/memory/1292-147-0x00007FF676A10000-0x00007FF676D64000-memory.dmp	xmrig
behavioral2/memory/1692-146-0x00007FF6DD4D0000-0x00007FF6DD824000-memory.dmp	xmrig
behavioral2/memory/2168-145-0x00007FF68FE60000-0x00007FF6901B4000-memory.dmp	xmrig
behavioral2/memory/1636-148-0x00007FF73CE30000-0x00007FF73D184000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
224	qRloAcs.exe
3088	yGVnsGS.exe
1384	GmpRlXz.exe
4868	yLlcYWH.exe
1160	cxOlcoq.exe
4672	fddAvXu.exe
2912	WgPgvCT.exe
364	bcVeghB.exe
1292	gHVvPvj.exe
1692	blfjgst.exe
2168	LvOlEdy.exe
1636	vPVSxaQ.exe
4840	iyZGwyj.exe
4732	hzTjZDy.exe
1340	pYpsWwn.exe
1724	MzTxtGt.exe
4144	AafMfsn.exe
4072	rudIeqe.exe
2952	nyyQeaA.exe
2172	sSqDeaO.exe
2964	FDKzNNO.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3260-0-0x00007FF6098F0000-0x00007FF609C44000-memory.dmp	upx
behavioral2/files/0x000800000002340f-5.dat	upx
behavioral2/memory/224-8-0x00007FF626550000-0x00007FF6268A4000-memory.dmp	upx
behavioral2/files/0x0007000000023413-11.dat	upx
behavioral2/files/0x0007000000023414-10.dat	upx
behavioral2/memory/3088-25-0x00007FF7D0820000-0x00007FF7D0B74000-memory.dmp	upx
behavioral2/memory/4672-32-0x00007FF7D2160000-0x00007FF7D24B4000-memory.dmp	upx
behavioral2/memory/4868-31-0x00007FF683100000-0x00007FF683454000-memory.dmp	upx
behavioral2/files/0x0007000000023416-29.dat	upx
behavioral2/files/0x0008000000023410-30.dat	upx
behavioral2/files/0x0007000000023415-22.dat	upx
behavioral2/memory/1384-38-0x00007FF744A00000-0x00007FF744D54000-memory.dmp	upx
behavioral2/files/0x0007000000023417-36.dat	upx
behavioral2/files/0x0007000000023419-57.dat	upx
behavioral2/files/0x000700000002341b-65.dat	upx
behavioral2/memory/1692-68-0x00007FF6DD4D0000-0x00007FF6DD824000-memory.dmp	upx
behavioral2/memory/1292-67-0x00007FF676A10000-0x00007FF676D64000-memory.dmp	upx
behavioral2/files/0x000700000002341a-61.dat	upx
behavioral2/memory/2168-60-0x00007FF68FE60000-0x00007FF6901B4000-memory.dmp	upx
behavioral2/memory/364-59-0x00007FF605300000-0x00007FF605654000-memory.dmp	upx
behavioral2/memory/2912-56-0x00007FF7605A0000-0x00007FF7608F4000-memory.dmp	upx
behavioral2/files/0x0007000000023418-51.dat	upx
behavioral2/memory/1160-43-0x00007FF657FF0000-0x00007FF658344000-memory.dmp	upx
behavioral2/files/0x000700000002341c-71.dat	upx
behavioral2/memory/1636-72-0x00007FF73CE30000-0x00007FF73D184000-memory.dmp	upx
behavioral2/files/0x000400000002296c-76.dat	upx
behavioral2/files/0x0003000000022974-82.dat	upx
behavioral2/memory/4732-86-0x00007FF6D1B10000-0x00007FF6D1E64000-memory.dmp	upx
behavioral2/memory/4840-78-0x00007FF794550000-0x00007FF7948A4000-memory.dmp	upx
behavioral2/files/0x000a000000023386-90.dat	upx
behavioral2/memory/1340-93-0x00007FF663820000-0x00007FF663B74000-memory.dmp	upx
behavioral2/files/0x000700000002341e-92.dat	upx
behavioral2/memory/1724-96-0x00007FF6E2F90000-0x00007FF6E32E4000-memory.dmp	upx
behavioral2/files/0x0007000000023420-107.dat	upx
behavioral2/files/0x000700000002341f-105.dat	upx
behavioral2/files/0x0007000000023421-112.dat	upx
behavioral2/files/0x0007000000023422-118.dat	upx
behavioral2/memory/4072-121-0x00007FF66D8E0000-0x00007FF66DC34000-memory.dmp	upx
behavioral2/files/0x0007000000023423-125.dat	upx
behavioral2/memory/1160-129-0x00007FF657FF0000-0x00007FF658344000-memory.dmp	upx
behavioral2/memory/2964-130-0x00007FF62EB40000-0x00007FF62EE94000-memory.dmp	upx
behavioral2/memory/4672-128-0x00007FF7D2160000-0x00007FF7D24B4000-memory.dmp	upx
behavioral2/memory/2172-127-0x00007FF601990000-0x00007FF601CE4000-memory.dmp	upx
behavioral2/memory/2952-124-0x00007FF70A9C0000-0x00007FF70AD14000-memory.dmp	upx
behavioral2/memory/4144-120-0x00007FF618F80000-0x00007FF6192D4000-memory.dmp	upx
behavioral2/memory/3260-94-0x00007FF6098F0000-0x00007FF609C44000-memory.dmp	upx
behavioral2/memory/2912-131-0x00007FF7605A0000-0x00007FF7608F4000-memory.dmp	upx
behavioral2/memory/2168-132-0x00007FF68FE60000-0x00007FF6901B4000-memory.dmp	upx
behavioral2/memory/1636-133-0x00007FF73CE30000-0x00007FF73D184000-memory.dmp	upx
behavioral2/memory/4840-134-0x00007FF794550000-0x00007FF7948A4000-memory.dmp	upx
behavioral2/memory/1340-135-0x00007FF663820000-0x00007FF663B74000-memory.dmp	upx
behavioral2/memory/1724-136-0x00007FF6E2F90000-0x00007FF6E32E4000-memory.dmp	upx
behavioral2/memory/224-137-0x00007FF626550000-0x00007FF6268A4000-memory.dmp	upx
behavioral2/memory/3088-138-0x00007FF7D0820000-0x00007FF7D0B74000-memory.dmp	upx
behavioral2/memory/1384-139-0x00007FF744A00000-0x00007FF744D54000-memory.dmp	upx
behavioral2/memory/4868-140-0x00007FF683100000-0x00007FF683454000-memory.dmp	upx
behavioral2/memory/4672-141-0x00007FF7D2160000-0x00007FF7D24B4000-memory.dmp	upx
behavioral2/memory/1160-142-0x00007FF657FF0000-0x00007FF658344000-memory.dmp	upx
behavioral2/memory/364-143-0x00007FF605300000-0x00007FF605654000-memory.dmp	upx
behavioral2/memory/2912-144-0x00007FF7605A0000-0x00007FF7608F4000-memory.dmp	upx
behavioral2/memory/1292-147-0x00007FF676A10000-0x00007FF676D64000-memory.dmp	upx
behavioral2/memory/1692-146-0x00007FF6DD4D0000-0x00007FF6DD824000-memory.dmp	upx
behavioral2/memory/2168-145-0x00007FF68FE60000-0x00007FF6901B4000-memory.dmp	upx
behavioral2/memory/1636-148-0x00007FF73CE30000-0x00007FF73D184000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\MzTxtGt.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AafMfsn.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qRloAcs.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yLlcYWH.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fddAvXu.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iyZGwyj.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vPVSxaQ.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rudIeqe.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nyyQeaA.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yGVnsGS.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GmpRlXz.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cxOlcoq.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gHVvPvj.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hzTjZDy.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pYpsWwn.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sSqDeaO.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FDKzNNO.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WgPgvCT.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bcVeghB.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\blfjgst.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LvOlEdy.exe	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 224	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	85
PID 3260 wrote to memory of 224	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	85
PID 3260 wrote to memory of 3088	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	86
PID 3260 wrote to memory of 3088	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	86
PID 3260 wrote to memory of 1384	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	87
PID 3260 wrote to memory of 1384	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	87
PID 3260 wrote to memory of 4868	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	89
PID 3260 wrote to memory of 4868	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	89
PID 3260 wrote to memory of 1160	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	90
PID 3260 wrote to memory of 1160	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	90
PID 3260 wrote to memory of 4672	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	91
PID 3260 wrote to memory of 4672	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	91
PID 3260 wrote to memory of 2912	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	92
PID 3260 wrote to memory of 2912	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	92
PID 3260 wrote to memory of 364	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	93
PID 3260 wrote to memory of 364	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	93
PID 3260 wrote to memory of 1692	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	94
PID 3260 wrote to memory of 1692	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	94
PID 3260 wrote to memory of 1292	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	95
PID 3260 wrote to memory of 1292	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	95
PID 3260 wrote to memory of 2168	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	96
PID 3260 wrote to memory of 2168	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	96
PID 3260 wrote to memory of 1636	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	97
PID 3260 wrote to memory of 1636	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	97
PID 3260 wrote to memory of 4840	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	99
PID 3260 wrote to memory of 4840	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	99
PID 3260 wrote to memory of 4732	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	100
PID 3260 wrote to memory of 4732	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	100
PID 3260 wrote to memory of 1340	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	101
PID 3260 wrote to memory of 1340	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	101
PID 3260 wrote to memory of 1724	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	102
PID 3260 wrote to memory of 1724	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	102
PID 3260 wrote to memory of 4144	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	103
PID 3260 wrote to memory of 4144	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	103
PID 3260 wrote to memory of 4072	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	104
PID 3260 wrote to memory of 4072	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	104
PID 3260 wrote to memory of 2952	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	105
PID 3260 wrote to memory of 2952	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	105
PID 3260 wrote to memory of 2172	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	106
PID 3260 wrote to memory of 2172	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	106
PID 3260 wrote to memory of 2964	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	107
PID 3260 wrote to memory of 2964	3260	2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_56c7b322072d0b5c7ea4ba71527a0a86_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\System\qRloAcs.exe
  C:\Windows\System\qRloAcs.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System\yGVnsGS.exe
  C:\Windows\System\yGVnsGS.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System\GmpRlXz.exe
  C:\Windows\System\GmpRlXz.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\yLlcYWH.exe
  C:\Windows\System\yLlcYWH.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\cxOlcoq.exe
  C:\Windows\System\cxOlcoq.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System\fddAvXu.exe
  C:\Windows\System\fddAvXu.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\WgPgvCT.exe
  C:\Windows\System\WgPgvCT.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\bcVeghB.exe
  C:\Windows\System\bcVeghB.exe
  2⤵
  - Executes dropped EXE
  PID:364
- C:\Windows\System\blfjgst.exe
  C:\Windows\System\blfjgst.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System\gHVvPvj.exe
  C:\Windows\System\gHVvPvj.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System\LvOlEdy.exe
  C:\Windows\System\LvOlEdy.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\vPVSxaQ.exe
  C:\Windows\System\vPVSxaQ.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\iyZGwyj.exe
  C:\Windows\System\iyZGwyj.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\hzTjZDy.exe
  C:\Windows\System\hzTjZDy.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\pYpsWwn.exe
  C:\Windows\System\pYpsWwn.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\System\MzTxtGt.exe
  C:\Windows\System\MzTxtGt.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\AafMfsn.exe
  C:\Windows\System\AafMfsn.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System\rudIeqe.exe
  C:\Windows\System\rudIeqe.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System\nyyQeaA.exe
  C:\Windows\System\nyyQeaA.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\sSqDeaO.exe
  C:\Windows\System\sSqDeaO.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\FDKzNNO.exe
  C:\Windows\System\FDKzNNO.exe
  2⤵
  - Executes dropped EXE
  PID:2964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AafMfsn.exe

Filesize
5.9MB

MD5
0eb1d11817d4f619f51cad5a55f972f4

SHA1
634f8f81b9731769a9ea33b0e42271a1540e7908

SHA256
90391d780cd9994fc4f9d72cc64a8060b92092f273f796dd99f8d1fcb9724715

SHA512
fd1bad21759a47d532c6854c074397d7610642a8938a2bde45aeffed66e3cccd628d0e2c1880e8ae9eeb146a5f48b0c553580deb34f131ac1c047d6f49e278f6

Download Submit
C:\Windows\System\FDKzNNO.exe

Filesize
5.9MB

MD5
9c23d77b4e375cc430c54ce023872a33

SHA1
7e356616e0e6b9f895a65b5b4d984c6c3a8e7f29

SHA256
54b25c7f1f9a62ad7808ba9dfcabdd03469881248e6bcea5d6856e53e00c191e

SHA512
7b8d1b087db9dcaa324c00d839d95faf36726106828510ab2e83a22eea291288ed9a99c82e276a9486f3f8be2a1bfe25b534243a8de41b2d460d0dcf0d6684c6

Download Submit
C:\Windows\System\GmpRlXz.exe

Filesize
5.9MB

MD5
239910d2b3029c989ddd4c2fdc8fe1a9

SHA1
9c2a86f40a82ce96efd18d900cb9428a25d2282f

SHA256
a4f93ae6b942ec63c0faa03be0278db7e7e017f3c70b3024c25edb5d052b5cdc

SHA512
ae198936587ddb40a8aae18d0edbf155dd4de8214eb1f8e98975725f3c24764a1b6102db6c46b27c0172384e31b6f87e7de6d11a30e26306cca2511e97ceb270

Download Submit
C:\Windows\System\LvOlEdy.exe

Filesize
5.9MB

MD5
d9bb5086a89bcee44c3c81ad18262f29

SHA1
561776c378e9e1081db667b26c3ed3217553d046

SHA256
1bca457be6e6d108d0a8dfecd27140c6df9a2443a52f68c78fa33255951526a7

SHA512
df1a68c1a9578b282041dd9737b9a96992eface098d0ae96504e1af876d896b694ec8d8a60475d7a3a5d8226e4345fc31d44afe3877ad4ff17962cbd81ea98b6

Download Submit
C:\Windows\System\MzTxtGt.exe

Filesize
5.9MB

MD5
155f19c0faa33f804e098681458d740f

SHA1
fa67fcf16d476fcc7e75c44fb8e757ae2ceb7c49

SHA256
3bc3587e392d22e40f1851dc7339b248855cd23940b45e3219340df26b376415

SHA512
bd2ce44715de8101d62cc06e21b912e0a9a82081f3d75e9a7857e9ccc3b9e15f248637d44d95b2c399ddcdd4222684c5a5af8577392969e4153053ba0861b7fa

Download Submit
C:\Windows\System\WgPgvCT.exe

Filesize
5.9MB

MD5
bb06d0260daa540556e4d0f5236288d6

SHA1
d66365a1a992460146567978346b628ed29267b9

SHA256
956c415f94e58ee8f6fd000a7c064684b24a0c378e1cae9c530ea3719d08269a

SHA512
09f20e5ddabe8532917282254d1474d8de1266d623ccfdd4b7db399bc73473e6382bbe6f3510df80d768b8a0d741304136b93ad3f719cc779d374fe70ea9816d

Download Submit
C:\Windows\System\bcVeghB.exe

Filesize
5.9MB

MD5
de7ce7073ca16e85bc8ee8ff0a5285b8

SHA1
cbb67a453bfa9c5db5e9ac79e2e0e0322ef81543

SHA256
8f81cdfbeef30d51331ab09594e553462cdecc9e01d49d0900cd0e7a54616d4f

SHA512
8db1291dfdd28bad7a71d1797c64b4b85611d6b587e6aa4e8b78d663121542661ecb4a3770b8d2cac27d0ff4779f8a03b053330dc667835a6e172333ec391790

Download Submit
C:\Windows\System\blfjgst.exe

Filesize
5.9MB

MD5
7a7b9a4b1db1dafa6b8351ceaf1350d8

SHA1
a13024267308e5e5ec282e69ba6fbc1fa04367b8

SHA256
08dba7402c9758a8ab94a7834d9ef5416aef2f391cf37ca37082560392c0c4d3

SHA512
8158ac7518ea66e784623bb403bb61084d91d2c4e3990391d31591941e63130a926cd81866896b279d3367fffb0ca30005757b207a5e770cd510a67351383f51

Download Submit
C:\Windows\System\cxOlcoq.exe

Filesize
5.9MB

MD5
e78f086658a82a28d0a289fb5ed1a89e

SHA1
eed136d169be5340e507fb39620626c74788e316

SHA256
135bee61366724d222ac9d838c3bee2f5ca1ce32a07a5d2a21ff1f64231dab83

SHA512
a91477eafe1b027f16ddfbf7affe76ff067486c506b40db964fddb0a73374c66cb9e7b7fdf2affbc39aeaef44f09819cd18f1bce09bcd9ef2bd1d843ec5c0b23

Download Submit
C:\Windows\System\fddAvXu.exe

Filesize
5.9MB

MD5
fc08116f5d0235e4becc8e4bd79e064d

SHA1
ade3b89b49ad38ccfd6aedb14595c081d387706e

SHA256
70cdafa83fc8473f8d1ba60aaa8d466fba2ca5181e1a8538c46ac7969ad2c148

SHA512
7e94195e3e90303a2d7ffada6846a59334362412b94b7687a4b68ac66b9bd55335d0a0078f3bc57d400428e8105e4868601ed421f0ec19c68c04dc093fccfe92

Download Submit
C:\Windows\System\gHVvPvj.exe

Filesize
5.9MB

MD5
f92aa76b4383603afd463273985a31a3

SHA1
bc5fdd7496054f85b4d5bf95944b9de0e7f6c171

SHA256
3381bf028f76af854a77588a84f86b7539ab3f94bb82d1011704887acf595c96

SHA512
48e0f55c480550e3afd04b1585fe7de65f9d791e6b46da34e06498842c7eab086dfb8646d2b5ea3056731569a84917b588629e382045cfd44467b00dab85ee80

Download Submit
C:\Windows\System\hzTjZDy.exe

Filesize
5.9MB

MD5
a62aa03da5e23591aa099902a5804f1b

SHA1
429bdb0c280a38b7fd37aa2d0c5aae562ae010fe

SHA256
2c91ed3eb5fe1bdbfd28e952fa7ed9b9d881cb9dcde7f792cf0faf4ccbceb798

SHA512
03e7dba1cdb9d2c97f2d68f3c2b965aed96201c60bc56091b25d89ad7a339b1d1f19f72b22795e0162c3bf4eccda2349770f45b59a31df9b570ed2d9cbc46929

Download Submit
C:\Windows\System\iyZGwyj.exe

Filesize
5.9MB

MD5
c14363414cd48d6145fe8c3a374bcc5d

SHA1
aae4fc7c1a9a8fcf1c83545c524f7eeaeca20a66

SHA256
a071bc612d297b7b86fd7adb4ede4a55443280b73c2d2cb8b43f9972c44722ea

SHA512
8ccd92f1de08fcb7811389f92e4e01d0ecb38996f194848d1b922cf722909804fc6c390986c9c87b6dccecadc00cb08f4e83a8b4c67d885e6ad41888d4e89ea9

Download Submit
C:\Windows\System\nyyQeaA.exe

Filesize
5.9MB

MD5
4dc5b5c764938b669138c1588eaacd30

SHA1
462ff3e9c259db9149e2e265d804204c50f94f5a

SHA256
3b3d77bf52252320beebfaef63fea176612fbeb694d4360049d0c92d85720d4d

SHA512
5d4e73328d203a4b2d158817e3ddb660d45acb736c63e69aacb7827f3bb3a4c998d7ff22f42435c962f9c9f36d55dd6a67041a3ac138c000937c455206f31121

Download Submit
C:\Windows\System\pYpsWwn.exe

Filesize
5.9MB

MD5
efb516aa1b5b55ee44b6ee46a1f6e2c8

SHA1
046ac64708165aac7d7c056c35af3e19a90e8cab

SHA256
ea617d0048feed69e2f69803922cfa6da58ac56767263c75b2033f26092f6188

SHA512
2ef0dbe47fb8721aad06387061f96266702da2249b6116fc55dec3025fce5dbc9408eb1f0b11deb49bdf76d6f34ef0f5212ec72c1049f53a42c120b3dca86dda

Download Submit
C:\Windows\System\qRloAcs.exe

Filesize
5.9MB

MD5
d3865386821e304464dd3a2fd28d052b

SHA1
d09332309ecbc6c2f162b3699326b7c0e7406273

SHA256
7a64f68246ba40f6dc562a5a4ebe5d38a1c3df4abea4db107affbe05b9f84419

SHA512
1257fc47e6b899af90e2def14cb5028c708b48f111636ac14dbb8449a55ce53117c6643872998b61300a54d89d7d83c3a125032c0c14e2932b626eec54791c61

Download Submit
C:\Windows\System\rudIeqe.exe

Filesize
5.9MB

MD5
1871d10623f509d7b4b8c6ca7f4e9e17

SHA1
c5b5894e6e5e7b2536429ba3f9422d992b98b32f

SHA256
1ccdd542efb22cb248c2900b97addd5c944884accd8acbecc7d2b415529e1875

SHA512
4dd03a3f69e4e8eac0d43760337919d0f8dbbb434c28e39abcaa7146180d08aedceb0c96f1c0b53bed9561d0bb10a9f6dcb53ad6c31fdda53d5e6009ba3fa7e2

Download Submit
C:\Windows\System\sSqDeaO.exe

Filesize
5.9MB

MD5
897a2bcd671055d257546e65651106b8

SHA1
35cb412589ef79e4fee75b24d0c02fc84891647a

SHA256
7c09c15502cb9cd22a1ef5b19dd348daeca0a6a35683cb347da7b2878404d555

SHA512
37e6af25aece200ea39b19fe20ae54897a83bb77bd0abd18157df2b29150adac7b220d8a40967a637214143def574efb1658a27cc6dbe1b2fd1bd59dab57305d

Download Submit
C:\Windows\System\vPVSxaQ.exe

Filesize
5.9MB

MD5
6878427d98510a4a6ff30ea7eeb80679

SHA1
c5471c9a9353f7496624219f31dbd8a62585d00a

SHA256
22aa5dcc8ce02e81e50e970e3ff1ebd0c2801ca36aba0895ab7fdb8f51b2f73a

SHA512
4e55f96c68103e9846ed3f1968641b3ae985fdd379f1c564381846411f446b5e3a38c300e5c7b7378de885ede85dbcdc323bbe0fe89c7c4a7b27dcaac64afed8

Download Submit
C:\Windows\System\yGVnsGS.exe

Filesize
5.9MB

MD5
8e5e7b93a8a5aa665319a6498a424626

SHA1
c23cc9570635c124d8a8d57e699d7351e41a9728

SHA256
acd846c5b39887cc72b81d8a85ec0eddf69b33bee15494aad858aead7e02cca1

SHA512
39c7001139e5426ac49e8e16a4e419f23f75ab77770fa3e9b3fef14baf0db8ffd9867023d2a43a2a650583af34fb965fef3fe11f44e7e7a9fef146a8aa942587

Download Submit
C:\Windows\System\yLlcYWH.exe

Filesize
5.9MB

MD5
d139f3e2804d3f4a9c8b23fc93d81285

SHA1
c75d9a8f7392f11964d5c4c8ae670791550ab6a1

SHA256
35df96faf01f7d3a436653e912ed270fdc6ec471b522a118dfadcbf925616be3

SHA512
cb9b5cb8fd62982ecba4c7eaffe607aec52008419219700e4bf60baf5b932d1eff62edcef62b086924a0dbe27dd310e5035fb7f125196b48722bfc6716df404f

Download Submit
memory/224-137-0x00007FF626550000-0x00007FF6268A4000-memory.dmp

Filesize
3.3MB

Download
memory/224-8-0x00007FF626550000-0x00007FF6268A4000-memory.dmp

Filesize
3.3MB

Download
memory/364-59-0x00007FF605300000-0x00007FF605654000-memory.dmp

Filesize
3.3MB

Download
memory/364-143-0x00007FF605300000-0x00007FF605654000-memory.dmp

Filesize
3.3MB

Download
memory/1160-129-0x00007FF657FF0000-0x00007FF658344000-memory.dmp

Filesize
3.3MB

Download
memory/1160-142-0x00007FF657FF0000-0x00007FF658344000-memory.dmp

Filesize
3.3MB

Download
memory/1160-43-0x00007FF657FF0000-0x00007FF658344000-memory.dmp

Filesize
3.3MB

Download
memory/1292-67-0x00007FF676A10000-0x00007FF676D64000-memory.dmp

Filesize
3.3MB

Download
memory/1292-147-0x00007FF676A10000-0x00007FF676D64000-memory.dmp

Filesize
3.3MB

Download
memory/1340-154-0x00007FF663820000-0x00007FF663B74000-memory.dmp

Filesize
3.3MB

Download
memory/1340-93-0x00007FF663820000-0x00007FF663B74000-memory.dmp

Filesize
3.3MB

Download
memory/1340-135-0x00007FF663820000-0x00007FF663B74000-memory.dmp

Filesize
3.3MB

Download
memory/1384-38-0x00007FF744A00000-0x00007FF744D54000-memory.dmp

Filesize
3.3MB

Download
memory/1384-139-0x00007FF744A00000-0x00007FF744D54000-memory.dmp

Filesize
3.3MB

Download
memory/1636-72-0x00007FF73CE30000-0x00007FF73D184000-memory.dmp

Filesize
3.3MB

Download
memory/1636-148-0x00007FF73CE30000-0x00007FF73D184000-memory.dmp

Filesize
3.3MB

Download
memory/1636-133-0x00007FF73CE30000-0x00007FF73D184000-memory.dmp

Filesize
3.3MB

Download
memory/1692-146-0x00007FF6DD4D0000-0x00007FF6DD824000-memory.dmp

Filesize
3.3MB

Download
memory/1692-68-0x00007FF6DD4D0000-0x00007FF6DD824000-memory.dmp

Filesize
3.3MB

Download
memory/1724-151-0x00007FF6E2F90000-0x00007FF6E32E4000-memory.dmp

Filesize
3.3MB

Download
memory/1724-96-0x00007FF6E2F90000-0x00007FF6E32E4000-memory.dmp

Filesize
3.3MB

Download
memory/1724-136-0x00007FF6E2F90000-0x00007FF6E32E4000-memory.dmp

Filesize
3.3MB

Download
memory/2168-145-0x00007FF68FE60000-0x00007FF6901B4000-memory.dmp

Filesize
3.3MB

Download
memory/2168-132-0x00007FF68FE60000-0x00007FF6901B4000-memory.dmp

Filesize
3.3MB

Download
memory/2168-60-0x00007FF68FE60000-0x00007FF6901B4000-memory.dmp

Filesize
3.3MB

Download
memory/2172-157-0x00007FF601990000-0x00007FF601CE4000-memory.dmp

Filesize
3.3MB

Download
memory/2172-127-0x00007FF601990000-0x00007FF601CE4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-56-0x00007FF7605A0000-0x00007FF7608F4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-131-0x00007FF7605A0000-0x00007FF7608F4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-144-0x00007FF7605A0000-0x00007FF7608F4000-memory.dmp

Filesize
3.3MB

Download
memory/2952-155-0x00007FF70A9C0000-0x00007FF70AD14000-memory.dmp

Filesize
3.3MB

Download
memory/2952-124-0x00007FF70A9C0000-0x00007FF70AD14000-memory.dmp

Filesize
3.3MB

Download
memory/2964-130-0x00007FF62EB40000-0x00007FF62EE94000-memory.dmp

Filesize
3.3MB

Download
memory/2964-156-0x00007FF62EB40000-0x00007FF62EE94000-memory.dmp

Filesize
3.3MB

Download
memory/3088-25-0x00007FF7D0820000-0x00007FF7D0B74000-memory.dmp

Filesize
3.3MB

Download
memory/3088-138-0x00007FF7D0820000-0x00007FF7D0B74000-memory.dmp

Filesize
3.3MB

Download
memory/3260-0-0x00007FF6098F0000-0x00007FF609C44000-memory.dmp

Filesize
3.3MB

Download
memory/3260-1-0x000001D4B76E0000-0x000001D4B76F0000-memory.dmp

Filesize
64KB

Download
memory/3260-94-0x00007FF6098F0000-0x00007FF609C44000-memory.dmp

Filesize
3.3MB

Download
memory/4072-152-0x00007FF66D8E0000-0x00007FF66DC34000-memory.dmp

Filesize
3.3MB

Download
memory/4072-121-0x00007FF66D8E0000-0x00007FF66DC34000-memory.dmp

Filesize
3.3MB

Download
memory/4144-120-0x00007FF618F80000-0x00007FF6192D4000-memory.dmp

Filesize
3.3MB

Download
memory/4144-153-0x00007FF618F80000-0x00007FF6192D4000-memory.dmp

Filesize
3.3MB

Download
memory/4672-32-0x00007FF7D2160000-0x00007FF7D24B4000-memory.dmp

Filesize
3.3MB

Download
memory/4672-128-0x00007FF7D2160000-0x00007FF7D24B4000-memory.dmp

Filesize
3.3MB

Download
memory/4672-141-0x00007FF7D2160000-0x00007FF7D24B4000-memory.dmp

Filesize
3.3MB

Download
memory/4732-86-0x00007FF6D1B10000-0x00007FF6D1E64000-memory.dmp

Filesize
3.3MB

Download
memory/4732-150-0x00007FF6D1B10000-0x00007FF6D1E64000-memory.dmp

Filesize
3.3MB

Download
memory/4840-149-0x00007FF794550000-0x00007FF7948A4000-memory.dmp

Filesize
3.3MB

Download
memory/4840-134-0x00007FF794550000-0x00007FF7948A4000-memory.dmp

Filesize
3.3MB

Download
memory/4840-78-0x00007FF794550000-0x00007FF7948A4000-memory.dmp

Filesize
3.3MB

Download
memory/4868-31-0x00007FF683100000-0x00007FF683454000-memory.dmp

Filesize
3.3MB

Download
memory/4868-140-0x00007FF683100000-0x00007FF683454000-memory.dmp

Filesize
3.3MB

Download