cobaltstrike | 011659e6c926b40e18b2aef593382a6681c1597fcb3ebe4afd6084a14cb14d3f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

947e17fe710720ba9b91c4d81cf92ff1
SHA1

bc786d22c1fc3182e3ff2ba577705ef66ae637e0
SHA256

011659e6c926b40e18b2aef593382a6681c1597fcb3ebe4afd6084a14cb14d3f
SHA512

bc632fcc3b1499e503fae020934f882eed2974ac2d7a1327b852048e3f620ee5195e7dd7f326f0747b8723c7ec01fe96c8aca00caf4381b75002bac4b54fa3a6
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU/:Q+856utgpPF8u/7/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b00000002340f-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343b-10.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343c-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-22.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023440-38.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023443-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023444-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023445-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023446-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023449-94.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344a-97.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344b-112.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344d-118.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002344c-122.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023438-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023448-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023447-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023442-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023441-49.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-31.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x000b00000002340f-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343b-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343c-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343e-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343d-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023440-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023443-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023444-64.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023445-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023446-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023449-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002344a-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002344b-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002344d-118.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002344c-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023438-106.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023448-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023447-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023442-55.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023441-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343f-31.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3232-0-0x00007FF78DD20000-0x00007FF78E074000-memory.dmp	UPX
behavioral2/files/0x000b00000002340f-5.dat	UPX
behavioral2/files/0x000700000002343b-10.dat	UPX
behavioral2/memory/876-8-0x00007FF7697C0000-0x00007FF769B14000-memory.dmp	UPX
behavioral2/files/0x000700000002343c-11.dat	UPX
behavioral2/files/0x000700000002343e-22.dat	UPX
behavioral2/files/0x000700000002343d-28.dat	UPX
behavioral2/files/0x0007000000023440-38.dat	UPX
behavioral2/memory/3012-43-0x00007FF6BFFC0000-0x00007FF6C0314000-memory.dmp	UPX
behavioral2/files/0x0007000000023443-57.dat	UPX
behavioral2/files/0x0007000000023444-64.dat	UPX
behavioral2/memory/928-68-0x00007FF6E90A0000-0x00007FF6E93F4000-memory.dmp	UPX
behavioral2/memory/4016-74-0x00007FF7A5590000-0x00007FF7A58E4000-memory.dmp	UPX
behavioral2/files/0x0007000000023445-72.dat	UPX
behavioral2/files/0x0007000000023446-82.dat	UPX
behavioral2/files/0x0007000000023449-94.dat	UPX
behavioral2/files/0x000700000002344a-97.dat	UPX
behavioral2/memory/2956-104-0x00007FF619E00000-0x00007FF61A154000-memory.dmp	UPX
behavioral2/files/0x000700000002344b-112.dat	UPX
behavioral2/memory/4172-111-0x00007FF7F0AB0000-0x00007FF7F0E04000-memory.dmp	UPX
behavioral2/files/0x000700000002344d-118.dat	UPX
behavioral2/files/0x000700000002344c-122.dat	UPX
behavioral2/memory/2320-110-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp	UPX
behavioral2/memory/4300-109-0x00007FF6E1FD0000-0x00007FF6E2324000-memory.dmp	UPX
behavioral2/files/0x0008000000023438-106.dat	UPX
behavioral2/memory/3240-105-0x00007FF6526A0000-0x00007FF6529F4000-memory.dmp	UPX
behavioral2/files/0x0007000000023448-99.dat	UPX
behavioral2/memory/1360-98-0x00007FF6D8D10000-0x00007FF6D9064000-memory.dmp	UPX
behavioral2/memory/1472-95-0x00007FF6BA650000-0x00007FF6BA9A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023447-85.dat	UPX
behavioral2/memory/920-69-0x00007FF6FF8D0000-0x00007FF6FFC24000-memory.dmp	UPX
behavioral2/memory/2756-67-0x00007FF7007E0000-0x00007FF700B34000-memory.dmp	UPX
behavioral2/memory/2264-66-0x00007FF6FA130000-0x00007FF6FA484000-memory.dmp	UPX
behavioral2/memory/1612-61-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp	UPX
behavioral2/files/0x0007000000023442-55.dat	UPX
behavioral2/files/0x0007000000023441-49.dat	UPX
behavioral2/memory/3796-44-0x00007FF65B250000-0x00007FF65B5A4000-memory.dmp	UPX
behavioral2/memory/872-39-0x00007FF73FE10000-0x00007FF740164000-memory.dmp	UPX
behavioral2/memory/988-33-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp	UPX
behavioral2/files/0x000700000002343f-31.dat	UPX
behavioral2/memory/1400-24-0x00007FF763210000-0x00007FF763564000-memory.dmp	UPX
behavioral2/memory/1080-126-0x00007FF622100000-0x00007FF622454000-memory.dmp	UPX
behavioral2/memory/4508-127-0x00007FF6F13C0000-0x00007FF6F1714000-memory.dmp	UPX
behavioral2/memory/3232-128-0x00007FF78DD20000-0x00007FF78E074000-memory.dmp	UPX
behavioral2/memory/988-129-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp	UPX
behavioral2/memory/1612-130-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp	UPX
behavioral2/memory/2756-131-0x00007FF7007E0000-0x00007FF700B34000-memory.dmp	UPX
behavioral2/memory/4016-132-0x00007FF7A5590000-0x00007FF7A58E4000-memory.dmp	UPX
behavioral2/memory/4300-133-0x00007FF6E1FD0000-0x00007FF6E2324000-memory.dmp	UPX
behavioral2/memory/2956-134-0x00007FF619E00000-0x00007FF61A154000-memory.dmp	UPX
behavioral2/memory/2320-135-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp	UPX
behavioral2/memory/4172-136-0x00007FF7F0AB0000-0x00007FF7F0E04000-memory.dmp	UPX
behavioral2/memory/876-137-0x00007FF7697C0000-0x00007FF769B14000-memory.dmp	UPX
behavioral2/memory/1400-138-0x00007FF763210000-0x00007FF763564000-memory.dmp	UPX
behavioral2/memory/872-139-0x00007FF73FE10000-0x00007FF740164000-memory.dmp	UPX
behavioral2/memory/988-142-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp	UPX
behavioral2/memory/3796-141-0x00007FF65B250000-0x00007FF65B5A4000-memory.dmp	UPX
behavioral2/memory/3012-140-0x00007FF6BFFC0000-0x00007FF6C0314000-memory.dmp	UPX
behavioral2/memory/1612-143-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp	UPX
behavioral2/memory/928-144-0x00007FF6E90A0000-0x00007FF6E93F4000-memory.dmp	UPX
behavioral2/memory/2264-146-0x00007FF6FA130000-0x00007FF6FA484000-memory.dmp	UPX
behavioral2/memory/920-145-0x00007FF6FF8D0000-0x00007FF6FFC24000-memory.dmp	UPX
behavioral2/memory/4016-147-0x00007FF7A5590000-0x00007FF7A58E4000-memory.dmp	UPX
behavioral2/memory/2756-148-0x00007FF7007E0000-0x00007FF700B34000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3232-0-0x00007FF78DD20000-0x00007FF78E074000-memory.dmp	xmrig
behavioral2/files/0x000b00000002340f-5.dat	xmrig
behavioral2/files/0x000700000002343b-10.dat	xmrig
behavioral2/memory/876-8-0x00007FF7697C0000-0x00007FF769B14000-memory.dmp	xmrig
behavioral2/files/0x000700000002343c-11.dat	xmrig
behavioral2/files/0x000700000002343e-22.dat	xmrig
behavioral2/files/0x000700000002343d-28.dat	xmrig
behavioral2/files/0x0007000000023440-38.dat	xmrig
behavioral2/memory/3012-43-0x00007FF6BFFC0000-0x00007FF6C0314000-memory.dmp	xmrig
behavioral2/files/0x0007000000023443-57.dat	xmrig
behavioral2/files/0x0007000000023444-64.dat	xmrig
behavioral2/memory/928-68-0x00007FF6E90A0000-0x00007FF6E93F4000-memory.dmp	xmrig
behavioral2/memory/4016-74-0x00007FF7A5590000-0x00007FF7A58E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023445-72.dat	xmrig
behavioral2/files/0x0007000000023446-82.dat	xmrig
behavioral2/files/0x0007000000023449-94.dat	xmrig
behavioral2/files/0x000700000002344a-97.dat	xmrig
behavioral2/memory/2956-104-0x00007FF619E00000-0x00007FF61A154000-memory.dmp	xmrig
behavioral2/files/0x000700000002344b-112.dat	xmrig
behavioral2/memory/4172-111-0x00007FF7F0AB0000-0x00007FF7F0E04000-memory.dmp	xmrig
behavioral2/files/0x000700000002344d-118.dat	xmrig
behavioral2/files/0x000700000002344c-122.dat	xmrig
behavioral2/memory/2320-110-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp	xmrig
behavioral2/memory/4300-109-0x00007FF6E1FD0000-0x00007FF6E2324000-memory.dmp	xmrig
behavioral2/files/0x0008000000023438-106.dat	xmrig
behavioral2/memory/3240-105-0x00007FF6526A0000-0x00007FF6529F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023448-99.dat	xmrig
behavioral2/memory/1360-98-0x00007FF6D8D10000-0x00007FF6D9064000-memory.dmp	xmrig
behavioral2/memory/1472-95-0x00007FF6BA650000-0x00007FF6BA9A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023447-85.dat	xmrig
behavioral2/memory/920-69-0x00007FF6FF8D0000-0x00007FF6FFC24000-memory.dmp	xmrig
behavioral2/memory/2756-67-0x00007FF7007E0000-0x00007FF700B34000-memory.dmp	xmrig
behavioral2/memory/2264-66-0x00007FF6FA130000-0x00007FF6FA484000-memory.dmp	xmrig
behavioral2/memory/1612-61-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp	xmrig
behavioral2/files/0x0007000000023442-55.dat	xmrig
behavioral2/files/0x0007000000023441-49.dat	xmrig
behavioral2/memory/3796-44-0x00007FF65B250000-0x00007FF65B5A4000-memory.dmp	xmrig
behavioral2/memory/872-39-0x00007FF73FE10000-0x00007FF740164000-memory.dmp	xmrig
behavioral2/memory/988-33-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp	xmrig
behavioral2/files/0x000700000002343f-31.dat	xmrig
behavioral2/memory/1400-24-0x00007FF763210000-0x00007FF763564000-memory.dmp	xmrig
behavioral2/memory/1080-126-0x00007FF622100000-0x00007FF622454000-memory.dmp	xmrig
behavioral2/memory/4508-127-0x00007FF6F13C0000-0x00007FF6F1714000-memory.dmp	xmrig
behavioral2/memory/3232-128-0x00007FF78DD20000-0x00007FF78E074000-memory.dmp	xmrig
behavioral2/memory/988-129-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp	xmrig
behavioral2/memory/1612-130-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp	xmrig
behavioral2/memory/2756-131-0x00007FF7007E0000-0x00007FF700B34000-memory.dmp	xmrig
behavioral2/memory/4016-132-0x00007FF7A5590000-0x00007FF7A58E4000-memory.dmp	xmrig
behavioral2/memory/4300-133-0x00007FF6E1FD0000-0x00007FF6E2324000-memory.dmp	xmrig
behavioral2/memory/2956-134-0x00007FF619E00000-0x00007FF61A154000-memory.dmp	xmrig
behavioral2/memory/2320-135-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp	xmrig
behavioral2/memory/4172-136-0x00007FF7F0AB0000-0x00007FF7F0E04000-memory.dmp	xmrig
behavioral2/memory/876-137-0x00007FF7697C0000-0x00007FF769B14000-memory.dmp	xmrig
behavioral2/memory/1400-138-0x00007FF763210000-0x00007FF763564000-memory.dmp	xmrig
behavioral2/memory/872-139-0x00007FF73FE10000-0x00007FF740164000-memory.dmp	xmrig
behavioral2/memory/988-142-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp	xmrig
behavioral2/memory/3796-141-0x00007FF65B250000-0x00007FF65B5A4000-memory.dmp	xmrig
behavioral2/memory/3012-140-0x00007FF6BFFC0000-0x00007FF6C0314000-memory.dmp	xmrig
behavioral2/memory/1612-143-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp	xmrig
behavioral2/memory/928-144-0x00007FF6E90A0000-0x00007FF6E93F4000-memory.dmp	xmrig
behavioral2/memory/2264-146-0x00007FF6FA130000-0x00007FF6FA484000-memory.dmp	xmrig
behavioral2/memory/920-145-0x00007FF6FF8D0000-0x00007FF6FFC24000-memory.dmp	xmrig
behavioral2/memory/4016-147-0x00007FF7A5590000-0x00007FF7A58E4000-memory.dmp	xmrig
behavioral2/memory/2756-148-0x00007FF7007E0000-0x00007FF700B34000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
876	oPbuGht.exe
1400	pmWIYBW.exe
3012	nhpiBkK.exe
988	uifCaxF.exe
872	pdBfxfi.exe
3796	EkBHTON.exe
1612	mypMACS.exe
928	zcATXir.exe
920	gXvxIPW.exe
2264	LKNBJbu.exe
4016	nqQmHEK.exe
2756	sNUUYSv.exe
1472	TypFtjZ.exe
1360	jqmScxF.exe
2956	MfTCytl.exe
3240	ElcbyzE.exe
2320	yFryGDq.exe
4300	yzlBPTm.exe
4172	TBrAtjQ.exe
1080	jmqIzWk.exe
4508	bJVJWZX.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3232-0-0x00007FF78DD20000-0x00007FF78E074000-memory.dmp	upx
behavioral2/files/0x000b00000002340f-5.dat	upx
behavioral2/files/0x000700000002343b-10.dat	upx
behavioral2/memory/876-8-0x00007FF7697C0000-0x00007FF769B14000-memory.dmp	upx
behavioral2/files/0x000700000002343c-11.dat	upx
behavioral2/files/0x000700000002343e-22.dat	upx
behavioral2/files/0x000700000002343d-28.dat	upx
behavioral2/files/0x0007000000023440-38.dat	upx
behavioral2/memory/3012-43-0x00007FF6BFFC0000-0x00007FF6C0314000-memory.dmp	upx
behavioral2/files/0x0007000000023443-57.dat	upx
behavioral2/files/0x0007000000023444-64.dat	upx
behavioral2/memory/928-68-0x00007FF6E90A0000-0x00007FF6E93F4000-memory.dmp	upx
behavioral2/memory/4016-74-0x00007FF7A5590000-0x00007FF7A58E4000-memory.dmp	upx
behavioral2/files/0x0007000000023445-72.dat	upx
behavioral2/files/0x0007000000023446-82.dat	upx
behavioral2/files/0x0007000000023449-94.dat	upx
behavioral2/files/0x000700000002344a-97.dat	upx
behavioral2/memory/2956-104-0x00007FF619E00000-0x00007FF61A154000-memory.dmp	upx
behavioral2/files/0x000700000002344b-112.dat	upx
behavioral2/memory/4172-111-0x00007FF7F0AB0000-0x00007FF7F0E04000-memory.dmp	upx
behavioral2/files/0x000700000002344d-118.dat	upx
behavioral2/files/0x000700000002344c-122.dat	upx
behavioral2/memory/2320-110-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp	upx
behavioral2/memory/4300-109-0x00007FF6E1FD0000-0x00007FF6E2324000-memory.dmp	upx
behavioral2/files/0x0008000000023438-106.dat	upx
behavioral2/memory/3240-105-0x00007FF6526A0000-0x00007FF6529F4000-memory.dmp	upx
behavioral2/files/0x0007000000023448-99.dat	upx
behavioral2/memory/1360-98-0x00007FF6D8D10000-0x00007FF6D9064000-memory.dmp	upx
behavioral2/memory/1472-95-0x00007FF6BA650000-0x00007FF6BA9A4000-memory.dmp	upx
behavioral2/files/0x0007000000023447-85.dat	upx
behavioral2/memory/920-69-0x00007FF6FF8D0000-0x00007FF6FFC24000-memory.dmp	upx
behavioral2/memory/2756-67-0x00007FF7007E0000-0x00007FF700B34000-memory.dmp	upx
behavioral2/memory/2264-66-0x00007FF6FA130000-0x00007FF6FA484000-memory.dmp	upx
behavioral2/memory/1612-61-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp	upx
behavioral2/files/0x0007000000023442-55.dat	upx
behavioral2/files/0x0007000000023441-49.dat	upx
behavioral2/memory/3796-44-0x00007FF65B250000-0x00007FF65B5A4000-memory.dmp	upx
behavioral2/memory/872-39-0x00007FF73FE10000-0x00007FF740164000-memory.dmp	upx
behavioral2/memory/988-33-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp	upx
behavioral2/files/0x000700000002343f-31.dat	upx
behavioral2/memory/1400-24-0x00007FF763210000-0x00007FF763564000-memory.dmp	upx
behavioral2/memory/1080-126-0x00007FF622100000-0x00007FF622454000-memory.dmp	upx
behavioral2/memory/4508-127-0x00007FF6F13C0000-0x00007FF6F1714000-memory.dmp	upx
behavioral2/memory/3232-128-0x00007FF78DD20000-0x00007FF78E074000-memory.dmp	upx
behavioral2/memory/988-129-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp	upx
behavioral2/memory/1612-130-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp	upx
behavioral2/memory/2756-131-0x00007FF7007E0000-0x00007FF700B34000-memory.dmp	upx
behavioral2/memory/4016-132-0x00007FF7A5590000-0x00007FF7A58E4000-memory.dmp	upx
behavioral2/memory/4300-133-0x00007FF6E1FD0000-0x00007FF6E2324000-memory.dmp	upx
behavioral2/memory/2956-134-0x00007FF619E00000-0x00007FF61A154000-memory.dmp	upx
behavioral2/memory/2320-135-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp	upx
behavioral2/memory/4172-136-0x00007FF7F0AB0000-0x00007FF7F0E04000-memory.dmp	upx
behavioral2/memory/876-137-0x00007FF7697C0000-0x00007FF769B14000-memory.dmp	upx
behavioral2/memory/1400-138-0x00007FF763210000-0x00007FF763564000-memory.dmp	upx
behavioral2/memory/872-139-0x00007FF73FE10000-0x00007FF740164000-memory.dmp	upx
behavioral2/memory/988-142-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp	upx
behavioral2/memory/3796-141-0x00007FF65B250000-0x00007FF65B5A4000-memory.dmp	upx
behavioral2/memory/3012-140-0x00007FF6BFFC0000-0x00007FF6C0314000-memory.dmp	upx
behavioral2/memory/1612-143-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp	upx
behavioral2/memory/928-144-0x00007FF6E90A0000-0x00007FF6E93F4000-memory.dmp	upx
behavioral2/memory/2264-146-0x00007FF6FA130000-0x00007FF6FA484000-memory.dmp	upx
behavioral2/memory/920-145-0x00007FF6FF8D0000-0x00007FF6FFC24000-memory.dmp	upx
behavioral2/memory/4016-147-0x00007FF7A5590000-0x00007FF7A58E4000-memory.dmp	upx
behavioral2/memory/2756-148-0x00007FF7007E0000-0x00007FF700B34000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\MfTCytl.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ElcbyzE.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oPbuGht.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EkBHTON.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mypMACS.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zcATXir.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nqQmHEK.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jqmScxF.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yzlBPTm.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nhpiBkK.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pdBfxfi.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LKNBJbu.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sNUUYSv.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yFryGDq.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TBrAtjQ.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uifCaxF.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gXvxIPW.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jmqIzWk.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bJVJWZX.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pmWIYBW.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TypFtjZ.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 876	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	82
PID 3232 wrote to memory of 876	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	82
PID 3232 wrote to memory of 1400	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	83
PID 3232 wrote to memory of 1400	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	83
PID 3232 wrote to memory of 988	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	84
PID 3232 wrote to memory of 988	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	84
PID 3232 wrote to memory of 3012	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	85
PID 3232 wrote to memory of 3012	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	85
PID 3232 wrote to memory of 872	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	86
PID 3232 wrote to memory of 872	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	86
PID 3232 wrote to memory of 3796	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	88
PID 3232 wrote to memory of 3796	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	88
PID 3232 wrote to memory of 1612	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	89
PID 3232 wrote to memory of 1612	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	89
PID 3232 wrote to memory of 928	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	90
PID 3232 wrote to memory of 928	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	90
PID 3232 wrote to memory of 920	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	91
PID 3232 wrote to memory of 920	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	91
PID 3232 wrote to memory of 2264	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	92
PID 3232 wrote to memory of 2264	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	92
PID 3232 wrote to memory of 4016	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	93
PID 3232 wrote to memory of 4016	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	93
PID 3232 wrote to memory of 2756	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	94
PID 3232 wrote to memory of 2756	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	94
PID 3232 wrote to memory of 1360	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	95
PID 3232 wrote to memory of 1360	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	95
PID 3232 wrote to memory of 1472	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	96
PID 3232 wrote to memory of 1472	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	96
PID 3232 wrote to memory of 2956	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	97
PID 3232 wrote to memory of 2956	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	97
PID 3232 wrote to memory of 3240	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	98
PID 3232 wrote to memory of 3240	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	98
PID 3232 wrote to memory of 2320	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	99
PID 3232 wrote to memory of 2320	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	99
PID 3232 wrote to memory of 4300	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	100
PID 3232 wrote to memory of 4300	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	100
PID 3232 wrote to memory of 4172	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	101
PID 3232 wrote to memory of 4172	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	101
PID 3232 wrote to memory of 1080	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	103
PID 3232 wrote to memory of 1080	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	103
PID 3232 wrote to memory of 4508	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	104
PID 3232 wrote to memory of 4508	3232	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\System\oPbuGht.exe
  C:\Windows\System\oPbuGht.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System\pmWIYBW.exe
  C:\Windows\System\pmWIYBW.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\uifCaxF.exe
  C:\Windows\System\uifCaxF.exe
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\System\nhpiBkK.exe
  C:\Windows\System\nhpiBkK.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\pdBfxfi.exe
  C:\Windows\System\pdBfxfi.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\EkBHTON.exe
  C:\Windows\System\EkBHTON.exe
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Windows\System\mypMACS.exe
  C:\Windows\System\mypMACS.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\zcATXir.exe
  C:\Windows\System\zcATXir.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System\gXvxIPW.exe
  C:\Windows\System\gXvxIPW.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System\LKNBJbu.exe
  C:\Windows\System\LKNBJbu.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\nqQmHEK.exe
  C:\Windows\System\nqQmHEK.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\sNUUYSv.exe
  C:\Windows\System\sNUUYSv.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\jqmScxF.exe
  C:\Windows\System\jqmScxF.exe
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\System\TypFtjZ.exe
  C:\Windows\System\TypFtjZ.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System\MfTCytl.exe
  C:\Windows\System\MfTCytl.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\ElcbyzE.exe
  C:\Windows\System\ElcbyzE.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\yFryGDq.exe
  C:\Windows\System\yFryGDq.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\yzlBPTm.exe
  C:\Windows\System\yzlBPTm.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\TBrAtjQ.exe
  C:\Windows\System\TBrAtjQ.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\jmqIzWk.exe
  C:\Windows\System\jmqIzWk.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System\bJVJWZX.exe
  C:\Windows\System\bJVJWZX.exe
  2⤵
  - Executes dropped EXE
  PID:4508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EkBHTON.exe

Filesize
5.9MB

MD5
00fad0ea91138fd950eecdd66c22f4ab

SHA1
01eba41fd4446a6f05830ee99827c1fd09fc9c11

SHA256
918c630d10c2f6007cb8bceb4a9884546ada57d327364930464d2cdf4d3057f6

SHA512
8cf935ae2cd1b42c3abb61dddb647a800ae47694974ed8f1ded419b16a699358f24d17e84d743ed00d3c8811c7d8d9af56054b3863f1f6fdc76bbfcc40405a88

Download Submit
C:\Windows\System\ElcbyzE.exe

Filesize
5.9MB

MD5
2d12f9843b15f3ae21decbdacca1a6fc

SHA1
7d8b67f6520d1bc43f44e528a2e03fc658462f6b

SHA256
f4b4a083afca93c035309b8131b47b3d0abda3f341f8a63d3e90f58c784b2353

SHA512
8af233339f7d38732c930e0437669cb0542748953fa5e490392a27e3fd6e3e95c427d33d84b1ae890fdf339b4648b6055c849cba89db300e6f43692c3b55ecb1

Download Submit
C:\Windows\System\LKNBJbu.exe

Filesize
5.9MB

MD5
3cb192f4c4ed8bd8f9b19f57f9ef647a

SHA1
a72e819d38061cde996b8e4b14a38279ce280ef1

SHA256
faa0d23a3e7ffa8900d3689b8842030e51b1c7e9305f54499ac09c8bb0293d5d

SHA512
fcddd139e6c142d2dc6b56b0e1ad384295854ec21ca6ef17461def4423ef1b6dfa49586904268515bee1d1bc24d3f8aa2432d95b1466ec4b9985d84070e2a8d2

Download Submit
C:\Windows\System\MfTCytl.exe

Filesize
5.9MB

MD5
6e6c4ad437238d93b3720f1daf079713

SHA1
51c481658260b6ea1cd0cd6f6f2cf36deebee40c

SHA256
230290c1801392295fe6fb46aa980a6b8969dcd91b07c363ca3407dd55bc6207

SHA512
1baf1d219a2f836554bb9e838e4bd8f0312545e19ca12318e4edd9d1adb1e98c62c5631f09f0c7a779b3f9c2df9344709f61d2f535554ff4e8dba6ab8fcec5a5

Download Submit
C:\Windows\System\TBrAtjQ.exe

Filesize
5.9MB

MD5
3347d8875315ffa19fdfbcac1c8e3ca3

SHA1
961f2b92fa1711c203e6ef2ba1a431d15828b5a8

SHA256
f4d5ba36200238d0192e94a1adead967be2aab80e06dff7a37773047f7a2b7b7

SHA512
3ec3d401b1b55c73b5e3293d01cc6646d6512ff38a826608f14fb79f0ee65f9fbf46ec96e8da296275552feaabb96578dd69d498796ae619379dbb51e8ffad68

Download Submit
C:\Windows\System\TypFtjZ.exe

Filesize
5.9MB

MD5
d87c8d89bc3bd378173e265e2c73d8be

SHA1
7170c06a8ad8034b7c47f94172fbc5c84f0d488b

SHA256
55c704bd44a96799dde1417608fa68f9861ebd196d7ee7ee11d608e54afa3fd8

SHA512
83918a635e3dc72a62082c10fa2f6547be8cd6bd2259d7f64c721cd0aa025ef1a22863e9c21a414d91eb8de57d8f3b49cddc2076cd911a91dfa5b9a106ffa3af

Download Submit
C:\Windows\System\bJVJWZX.exe

Filesize
5.9MB

MD5
8f0f445aa00ed4bd825a5d8ebcd4e054

SHA1
e944e74bb06c698647868dc0c7412dc7e1a96b55

SHA256
bbd9099409901138126074330eb88e5cb9570799c9bb3a0f2bf674087c800654

SHA512
dee2252544029dee55b80c1f38f1519901adb07fa404d72a6cc94c61cac8fff4232d825dd1a095311e34c5b662d1f2b00d5812f358674c44560bd454cf1a7fc2

Download Submit
C:\Windows\System\gXvxIPW.exe

Filesize
5.9MB

MD5
a43eb767d99d0c29d8cf17cd0634279a

SHA1
1bec3d79c1476ce953090afb938b287e43ad21ed

SHA256
33dfc58301a38b18067749c7c6f41bc053f8aba82c8c5f5096dba509e74927ad

SHA512
8f920ffe461c55b5e69431cad8d54659b0bec08685e14566b65ef64fd6816b9f3dede65953102ff99d4cd46b6389f91dfdb943daac3cb72621977735d73de72a

Download Submit
C:\Windows\System\jmqIzWk.exe

Filesize
5.9MB

MD5
44632f74be547a5dbeb42a1c7aaf7c63

SHA1
e473a392c12b350cceacd4bbc78c16de597f18af

SHA256
17475d2a07dd5bebdb2dacdb714b0d353936e3f748e0c44dbdaedbe035754966

SHA512
4557241bf0cc5ad5220cb761b339de2f981220651a573dcc8eb313886ba7809a13820162c8b6acd943b44ed6a230716e847812892794eeb7e5286c43f69f1bf1

Download Submit
C:\Windows\System\jqmScxF.exe

Filesize
5.9MB

MD5
eb0162da1368d613ce0a713a3ff3ee73

SHA1
efa06ebb25862a265e2d712eebe876003ca658a4

SHA256
f85702a666437a045d37115b4cb4c9c036e4285ed20704f08e61e3696a5cb392

SHA512
ce31657502091b61c0e7d9a6aa36be21628e914dcf9f3c2af7db3ca5a55e92e5359d40a6f3885c68a787cffaf5698004a4b4bd6dcbc86ab80986546cefe470f6

Download Submit
C:\Windows\System\mypMACS.exe

Filesize
5.9MB

MD5
f3e0d5a5e3114084736921abc7e5fc73

SHA1
4d05efa7b4144705022d0e4b4ea35d86ebfc225b

SHA256
c929073ac747af6c1b62e496b0536f4cee2cb21f14c2d1466e33d7dcdc738d97

SHA512
fa0fb2405782c6f15527c78f3824c04dff30223da6ef53692e7c9750bb0891a8cb6f37e325d62f573234b8f33731ff63ad112dace1d3c12923b3899c805b2447

Download Submit
C:\Windows\System\nhpiBkK.exe

Filesize
5.9MB

MD5
1de349959b6a4a0729c78da1186df138

SHA1
ff439f8f420c14f153a3ce5a8666c0fb3fd15f9c

SHA256
8b1751cd08dd4ba92b7e4596aeeb7281d63d44c9de33e1db8c4cc41808c1985a

SHA512
e1327d91acb198f3cf4257addd9fe628d1cede64d730d7ac416296df17bd44150a3a87971b433a957992f2f2bde856137ddff4f2b8de10ac2271c902e0e5f424

Download Submit
C:\Windows\System\nqQmHEK.exe

Filesize
5.9MB

MD5
969a90c0306304b075162ffd4c013cd2

SHA1
c94f7b013bf72409c03c31819f7e2dc1d575fd90

SHA256
ea6ae2734173f0bff0ed050b76aaa6a3490e1c56eaa038735e40761f82d9fdf3

SHA512
686c4245916f3ab6dafea7fea56c5ca536e214c4505969c1d39a75d208a850b2d3c01219da44e317c56132a68db11ed10df5d9cc5b6a61949a211134c5c582a4

Download Submit
C:\Windows\System\oPbuGht.exe

Filesize
5.9MB

MD5
48dae9e1621b208f98e6243b9a177cf8

SHA1
916a14a30710294dd324f9141d299852ef99ed70

SHA256
91fc9a59fb9cd3ca0f0826b8ddaf48d50afd75cc33ec2e9737cae263fb0f6cfb

SHA512
6af548589e5ec8b1ce3be7e2cf4399c5f09a9fe171b5bd2111d92d3f73184d5b67d7c07f1334de4233a8a0fba420ab9f7ba554f3722249aa897f3d26703a4282

Download Submit
C:\Windows\System\pdBfxfi.exe

Filesize
5.9MB

MD5
fa6973ec43df5e58a6a0c6fea2ef4704

SHA1
8537aa1aeeebade17fc84c7de5d57232249d8837

SHA256
2b3a1c9a4c4a53a469169e58e876ec7740c89d9f19e0cf3cac4c332815e93001

SHA512
f88cdc3e7da6fb90674591481eeb7fab28c207faae013fbb88646e1fa7b750f2ced5c1e70f1490c4a38b38d3c28019e12f9937d6e2519882b403a8d8223586e0

Download Submit
C:\Windows\System\pmWIYBW.exe

Filesize
5.9MB

MD5
49efd2f015b7f9ebbf471ca5b178e3fa

SHA1
2d4ad3cf1f8c27d27f9e23cfd157e68c4891a837

SHA256
1806bd4c31b6841621d3c7d9fa34f34c11d06c159646ed5bcd6fec9112fae0b4

SHA512
22449ae793b77fdb09665dcfb44ea96d1471dec8b267312f93045c7365faae5bf2ea1985abe393da8c47fea5ce922e8b5b81ad789bbac1d9365719dd7fbf1126

Download Submit
C:\Windows\System\sNUUYSv.exe

Filesize
5.9MB

MD5
1f1f12eb8010cfdc6c2367b8f157de01

SHA1
c9e88ca10e38160b082a15d5720389b9442af431

SHA256
57eedba564f878541feccfeda22fb94cb105060b7b485475f84b8ae92ffe48a3

SHA512
38c5de7dccb72a718bb40d99756f1dc8ce5484274463606d1390cc04d8f60e907f076ab798f0aabb36c06cd54dd1d8f95939156a01669134f22bb6f33e1d7a84

Download Submit
C:\Windows\System\uifCaxF.exe

Filesize
5.9MB

MD5
924666ae681e0e7b4bcc34e0e59d9fb6

SHA1
262e1be63c8cb634926bd0840c4d651c9c5df462

SHA256
bf737c4ab7a21fd89a4f73370bd6135106d67ef37c42a59e688340a76647eb38

SHA512
21365167c286ba462cafd779456e30e49b34987d0862862e6e98a3d43d30ecf62c91c98f7ae83c3a0e614089f0cbbe9ee29cce07899f84749b2d2cb33459c68c

Download Submit
C:\Windows\System\yFryGDq.exe

Filesize
5.9MB

MD5
f5262f97f7a8afb4cbe31cc4e8849dd2

SHA1
6d1ad97d9ee394631edda30d4aaa6d3faca30e46

SHA256
fef4a005f7ac821104fcd5b9e232ea9f1706ab4eb9eb80127ad603b4a51c0640

SHA512
63a32b61baae7fb0ae7fbfa42b8ca084fe8e144bce5e39b45215a37b8fc9b81ddb5739bdf42b9152bfed5b267190df7a7d197d39a340eaa5671e8dd0806fd788

Download Submit
C:\Windows\System\yzlBPTm.exe

Filesize
5.9MB

MD5
20ce6723c7451a5e74b903bb60dde65d

SHA1
61987f6127cd3448bae0fb9d64957732af90354b

SHA256
8277aafb9aab13ee3f452eb64490e85efa84b72153bd2522956c4494b1a96171

SHA512
ea34e869fdd32d19f8c4d25813284aa7adbe7a52df3530c8af153f66bde73c71b71f1a3f78d4f28285609a7fb89b030788693d5fcef873d2f994373c218fbe01

Download Submit
C:\Windows\System\zcATXir.exe

Filesize
5.9MB

MD5
75b4b1f0107526e8461c79a243ec4554

SHA1
f143ff0d5a78ab09fa64fc794e02829c6468b10d

SHA256
7fa086cd739aadf5dadea5f80e77b8c18cc48b61af16123bcebaf173a28e2be0

SHA512
d63105f19d0aff43616c304aca9e948d425e8609890b1d05e806036db2729dc33bc199c8e3c181a5fd9465875216b9b754366ef5f7d57978f2a84741d22bd89e

Download Submit
memory/872-39-0x00007FF73FE10000-0x00007FF740164000-memory.dmp

Filesize
3.3MB

Download
memory/872-139-0x00007FF73FE10000-0x00007FF740164000-memory.dmp

Filesize
3.3MB

Download
memory/876-8-0x00007FF7697C0000-0x00007FF769B14000-memory.dmp

Filesize
3.3MB

Download
memory/876-137-0x00007FF7697C0000-0x00007FF769B14000-memory.dmp

Filesize
3.3MB

Download
memory/920-145-0x00007FF6FF8D0000-0x00007FF6FFC24000-memory.dmp

Filesize
3.3MB

Download
memory/920-69-0x00007FF6FF8D0000-0x00007FF6FFC24000-memory.dmp

Filesize
3.3MB

Download
memory/928-144-0x00007FF6E90A0000-0x00007FF6E93F4000-memory.dmp

Filesize
3.3MB

Download
memory/928-68-0x00007FF6E90A0000-0x00007FF6E93F4000-memory.dmp

Filesize
3.3MB

Download
memory/988-33-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp

Filesize
3.3MB

Download
memory/988-142-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp

Filesize
3.3MB

Download
memory/988-129-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp

Filesize
3.3MB

Download
memory/1080-126-0x00007FF622100000-0x00007FF622454000-memory.dmp

Filesize
3.3MB

Download
memory/1080-157-0x00007FF622100000-0x00007FF622454000-memory.dmp

Filesize
3.3MB

Download
memory/1360-98-0x00007FF6D8D10000-0x00007FF6D9064000-memory.dmp

Filesize
3.3MB

Download
memory/1360-149-0x00007FF6D8D10000-0x00007FF6D9064000-memory.dmp

Filesize
3.3MB

Download
memory/1400-138-0x00007FF763210000-0x00007FF763564000-memory.dmp

Filesize
3.3MB

Download
memory/1400-24-0x00007FF763210000-0x00007FF763564000-memory.dmp

Filesize
3.3MB

Download
memory/1472-95-0x00007FF6BA650000-0x00007FF6BA9A4000-memory.dmp

Filesize
3.3MB

Download
memory/1472-150-0x00007FF6BA650000-0x00007FF6BA9A4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-143-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp

Filesize
3.3MB

Download
memory/1612-130-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp

Filesize
3.3MB

Download
memory/1612-61-0x00007FF6779B0000-0x00007FF677D04000-memory.dmp

Filesize
3.3MB

Download
memory/2264-146-0x00007FF6FA130000-0x00007FF6FA484000-memory.dmp

Filesize
3.3MB

Download
memory/2264-66-0x00007FF6FA130000-0x00007FF6FA484000-memory.dmp

Filesize
3.3MB

Download
memory/2320-135-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp

Filesize
3.3MB

Download
memory/2320-110-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp

Filesize
3.3MB

Download
memory/2320-154-0x00007FF78C680000-0x00007FF78C9D4000-memory.dmp

Filesize
3.3MB

Download
memory/2756-148-0x00007FF7007E0000-0x00007FF700B34000-memory.dmp

Filesize
3.3MB

Download
memory/2756-131-0x00007FF7007E0000-0x00007FF700B34000-memory.dmp

Filesize
3.3MB

Download
memory/2756-67-0x00007FF7007E0000-0x00007FF700B34000-memory.dmp

Filesize
3.3MB

Download
memory/2956-134-0x00007FF619E00000-0x00007FF61A154000-memory.dmp

Filesize
3.3MB

Download
memory/2956-152-0x00007FF619E00000-0x00007FF61A154000-memory.dmp

Filesize
3.3MB

Download
memory/2956-104-0x00007FF619E00000-0x00007FF61A154000-memory.dmp

Filesize
3.3MB

Download
memory/3012-43-0x00007FF6BFFC0000-0x00007FF6C0314000-memory.dmp

Filesize
3.3MB

Download
memory/3012-140-0x00007FF6BFFC0000-0x00007FF6C0314000-memory.dmp

Filesize
3.3MB

Download
memory/3232-128-0x00007FF78DD20000-0x00007FF78E074000-memory.dmp

Filesize
3.3MB

Download
memory/3232-0-0x00007FF78DD20000-0x00007FF78E074000-memory.dmp

Filesize
3.3MB

Download
memory/3232-1-0x0000020C14CE0000-0x0000020C14CF0000-memory.dmp

Filesize
64KB

Download
memory/3240-151-0x00007FF6526A0000-0x00007FF6529F4000-memory.dmp

Filesize
3.3MB

Download
memory/3240-105-0x00007FF6526A0000-0x00007FF6529F4000-memory.dmp

Filesize
3.3MB

Download
memory/3796-141-0x00007FF65B250000-0x00007FF65B5A4000-memory.dmp

Filesize
3.3MB

Download
memory/3796-44-0x00007FF65B250000-0x00007FF65B5A4000-memory.dmp

Filesize
3.3MB

Download
memory/4016-132-0x00007FF7A5590000-0x00007FF7A58E4000-memory.dmp

Filesize
3.3MB

Download
memory/4016-147-0x00007FF7A5590000-0x00007FF7A58E4000-memory.dmp

Filesize
3.3MB

Download
memory/4016-74-0x00007FF7A5590000-0x00007FF7A58E4000-memory.dmp

Filesize
3.3MB

Download
memory/4172-111-0x00007FF7F0AB0000-0x00007FF7F0E04000-memory.dmp

Filesize
3.3MB

Download
memory/4172-136-0x00007FF7F0AB0000-0x00007FF7F0E04000-memory.dmp

Filesize
3.3MB

Download
memory/4172-155-0x00007FF7F0AB0000-0x00007FF7F0E04000-memory.dmp

Filesize
3.3MB

Download
memory/4300-133-0x00007FF6E1FD0000-0x00007FF6E2324000-memory.dmp

Filesize
3.3MB

Download
memory/4300-109-0x00007FF6E1FD0000-0x00007FF6E2324000-memory.dmp

Filesize
3.3MB

Download
memory/4300-153-0x00007FF6E1FD0000-0x00007FF6E2324000-memory.dmp

Filesize
3.3MB

Download
memory/4508-156-0x00007FF6F13C0000-0x00007FF6F1714000-memory.dmp

Filesize
3.3MB

Download
memory/4508-127-0x00007FF6F13C0000-0x00007FF6F1714000-memory.dmp

Filesize
3.3MB

Download