cobaltstrike | 8f899723822603bde6c11d8651a4aa86ee02271642de842871e50a7b5302a3de

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 19:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

4d1bdec09a8a0e958c35440e431477af
SHA1

14a403d2ddc38de45daccc4436227a80f81f6f65
SHA256

8f899723822603bde6c11d8651a4aa86ee02271642de842871e50a7b5302a3de
SHA512

02d464ec0699b24fdabe84686a4ea5ea60143fd8b5f510b0f5dc195c8da2e1985018f3d18d68d165580369d4fe7cdbf846c2844d857afce1db32dbaf3eeaddd9
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUH:Q+856utgpPF8u/7H

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000022f51-4.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233f6-9.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f7-23.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233f5-14.dat	cobalt_reflective_dll
behavioral2/files/0x00090000000233e9-32.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fa-41.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f8-36.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fb-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fd-57.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fe-64.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ff-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023401-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023404-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023408-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023407-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023406-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023405-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023403-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023402-86.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023400-77.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fc-55.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022f51-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00080000000233f6-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f7-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00080000000233f5-14.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00090000000233e9-32.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fa-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f8-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fb-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fd-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fe-64.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233ff-68.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023401-76.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023404-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023408-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023407-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023406-108.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023405-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023403-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023402-86.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023400-77.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fc-55.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3988-0-0x00007FF791FB0000-0x00007FF792304000-memory.dmp	UPX
behavioral2/files/0x0008000000022f51-4.dat	UPX
behavioral2/files/0x00080000000233f6-9.dat	UPX
behavioral2/memory/4148-13-0x00007FF7A5D90000-0x00007FF7A60E4000-memory.dmp	UPX
behavioral2/memory/772-20-0x00007FF6BC420000-0x00007FF6BC774000-memory.dmp	UPX
behavioral2/memory/3452-19-0x00007FF6270D0000-0x00007FF627424000-memory.dmp	UPX
behavioral2/files/0x00070000000233f7-23.dat	UPX
behavioral2/memory/2820-24-0x00007FF64FF70000-0x00007FF6502C4000-memory.dmp	UPX
behavioral2/files/0x00080000000233f5-14.dat	UPX
behavioral2/files/0x00090000000233e9-32.dat	UPX
behavioral2/files/0x00070000000233fa-41.dat	UPX
behavioral2/memory/4864-38-0x00007FF689F40000-0x00007FF68A294000-memory.dmp	UPX
behavioral2/files/0x00070000000233f8-36.dat	UPX
behavioral2/memory/1608-33-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	UPX
behavioral2/files/0x00070000000233fb-47.dat	UPX
behavioral2/files/0x00070000000233fd-57.dat	UPX
behavioral2/files/0x00070000000233fe-64.dat	UPX
behavioral2/files/0x00070000000233ff-68.dat	UPX
behavioral2/files/0x0007000000023401-76.dat	UPX
behavioral2/files/0x0007000000023404-91.dat	UPX
behavioral2/files/0x0007000000023408-110.dat	UPX
behavioral2/files/0x0007000000023407-111.dat	UPX
behavioral2/files/0x0007000000023406-108.dat	UPX
behavioral2/files/0x0007000000023405-104.dat	UPX
behavioral2/files/0x0007000000023403-94.dat	UPX
behavioral2/files/0x0007000000023402-86.dat	UPX
behavioral2/files/0x0007000000023400-77.dat	UPX
behavioral2/files/0x00070000000233fc-55.dat	UPX
behavioral2/memory/2092-51-0x00007FF718D90000-0x00007FF7190E4000-memory.dmp	UPX
behavioral2/memory/3880-46-0x00007FF739790000-0x00007FF739AE4000-memory.dmp	UPX
behavioral2/memory/964-115-0x00007FF6E31D0000-0x00007FF6E3524000-memory.dmp	UPX
behavioral2/memory/4540-116-0x00007FF6265A0000-0x00007FF6268F4000-memory.dmp	UPX
behavioral2/memory/5064-117-0x00007FF799960000-0x00007FF799CB4000-memory.dmp	UPX
behavioral2/memory/4480-118-0x00007FF7B3420000-0x00007FF7B3774000-memory.dmp	UPX
behavioral2/memory/372-119-0x00007FF7DC920000-0x00007FF7DCC74000-memory.dmp	UPX
behavioral2/memory/2464-120-0x00007FF64FA30000-0x00007FF64FD84000-memory.dmp	UPX
behavioral2/memory/4028-122-0x00007FF7D28E0000-0x00007FF7D2C34000-memory.dmp	UPX
behavioral2/memory/4464-121-0x00007FF795D10000-0x00007FF796064000-memory.dmp	UPX
behavioral2/memory/404-123-0x00007FF6A13B0000-0x00007FF6A1704000-memory.dmp	UPX
behavioral2/memory/4656-125-0x00007FF63C6A0000-0x00007FF63C9F4000-memory.dmp	UPX
behavioral2/memory/224-124-0x00007FF74F8D0000-0x00007FF74FC24000-memory.dmp	UPX
behavioral2/memory/4408-126-0x00007FF6A7590000-0x00007FF6A78E4000-memory.dmp	UPX
behavioral2/memory/1932-127-0x00007FF667D00000-0x00007FF668054000-memory.dmp	UPX
behavioral2/memory/3988-128-0x00007FF791FB0000-0x00007FF792304000-memory.dmp	UPX
behavioral2/memory/2820-129-0x00007FF64FF70000-0x00007FF6502C4000-memory.dmp	UPX
behavioral2/memory/1608-130-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	UPX
behavioral2/memory/4864-131-0x00007FF689F40000-0x00007FF68A294000-memory.dmp	UPX
behavioral2/memory/4148-132-0x00007FF7A5D90000-0x00007FF7A60E4000-memory.dmp	UPX
behavioral2/memory/3452-133-0x00007FF6270D0000-0x00007FF627424000-memory.dmp	UPX
behavioral2/memory/772-134-0x00007FF6BC420000-0x00007FF6BC774000-memory.dmp	UPX
behavioral2/memory/2820-135-0x00007FF64FF70000-0x00007FF6502C4000-memory.dmp	UPX
behavioral2/memory/1608-136-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	UPX
behavioral2/memory/3880-137-0x00007FF739790000-0x00007FF739AE4000-memory.dmp	UPX
behavioral2/memory/4864-138-0x00007FF689F40000-0x00007FF68A294000-memory.dmp	UPX
behavioral2/memory/964-141-0x00007FF6E31D0000-0x00007FF6E3524000-memory.dmp	UPX
behavioral2/memory/4540-140-0x00007FF6265A0000-0x00007FF6268F4000-memory.dmp	UPX
behavioral2/memory/2092-139-0x00007FF718D90000-0x00007FF7190E4000-memory.dmp	UPX
behavioral2/memory/5064-143-0x00007FF799960000-0x00007FF799CB4000-memory.dmp	UPX
behavioral2/memory/372-145-0x00007FF7DC920000-0x00007FF7DCC74000-memory.dmp	UPX
behavioral2/memory/2464-144-0x00007FF64FA30000-0x00007FF64FD84000-memory.dmp	UPX
behavioral2/memory/4480-142-0x00007FF7B3420000-0x00007FF7B3774000-memory.dmp	UPX
behavioral2/memory/4464-146-0x00007FF795D10000-0x00007FF796064000-memory.dmp	UPX
behavioral2/memory/4028-147-0x00007FF7D28E0000-0x00007FF7D2C34000-memory.dmp	UPX
behavioral2/memory/404-148-0x00007FF6A13B0000-0x00007FF6A1704000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3988-0-0x00007FF791FB0000-0x00007FF792304000-memory.dmp	xmrig
behavioral2/files/0x0008000000022f51-4.dat	xmrig
behavioral2/files/0x00080000000233f6-9.dat	xmrig
behavioral2/memory/4148-13-0x00007FF7A5D90000-0x00007FF7A60E4000-memory.dmp	xmrig
behavioral2/memory/772-20-0x00007FF6BC420000-0x00007FF6BC774000-memory.dmp	xmrig
behavioral2/memory/3452-19-0x00007FF6270D0000-0x00007FF627424000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f7-23.dat	xmrig
behavioral2/memory/2820-24-0x00007FF64FF70000-0x00007FF6502C4000-memory.dmp	xmrig
behavioral2/files/0x00080000000233f5-14.dat	xmrig
behavioral2/files/0x00090000000233e9-32.dat	xmrig
behavioral2/files/0x00070000000233fa-41.dat	xmrig
behavioral2/memory/4864-38-0x00007FF689F40000-0x00007FF68A294000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f8-36.dat	xmrig
behavioral2/memory/1608-33-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fb-47.dat	xmrig
behavioral2/files/0x00070000000233fd-57.dat	xmrig
behavioral2/files/0x00070000000233fe-64.dat	xmrig
behavioral2/files/0x00070000000233ff-68.dat	xmrig
behavioral2/files/0x0007000000023401-76.dat	xmrig
behavioral2/files/0x0007000000023404-91.dat	xmrig
behavioral2/files/0x0007000000023408-110.dat	xmrig
behavioral2/files/0x0007000000023407-111.dat	xmrig
behavioral2/files/0x0007000000023406-108.dat	xmrig
behavioral2/files/0x0007000000023405-104.dat	xmrig
behavioral2/files/0x0007000000023403-94.dat	xmrig
behavioral2/files/0x0007000000023402-86.dat	xmrig
behavioral2/files/0x0007000000023400-77.dat	xmrig
behavioral2/files/0x00070000000233fc-55.dat	xmrig
behavioral2/memory/2092-51-0x00007FF718D90000-0x00007FF7190E4000-memory.dmp	xmrig
behavioral2/memory/3880-46-0x00007FF739790000-0x00007FF739AE4000-memory.dmp	xmrig
behavioral2/memory/964-115-0x00007FF6E31D0000-0x00007FF6E3524000-memory.dmp	xmrig
behavioral2/memory/4540-116-0x00007FF6265A0000-0x00007FF6268F4000-memory.dmp	xmrig
behavioral2/memory/5064-117-0x00007FF799960000-0x00007FF799CB4000-memory.dmp	xmrig
behavioral2/memory/4480-118-0x00007FF7B3420000-0x00007FF7B3774000-memory.dmp	xmrig
behavioral2/memory/372-119-0x00007FF7DC920000-0x00007FF7DCC74000-memory.dmp	xmrig
behavioral2/memory/2464-120-0x00007FF64FA30000-0x00007FF64FD84000-memory.dmp	xmrig
behavioral2/memory/4028-122-0x00007FF7D28E0000-0x00007FF7D2C34000-memory.dmp	xmrig
behavioral2/memory/4464-121-0x00007FF795D10000-0x00007FF796064000-memory.dmp	xmrig
behavioral2/memory/404-123-0x00007FF6A13B0000-0x00007FF6A1704000-memory.dmp	xmrig
behavioral2/memory/4656-125-0x00007FF63C6A0000-0x00007FF63C9F4000-memory.dmp	xmrig
behavioral2/memory/224-124-0x00007FF74F8D0000-0x00007FF74FC24000-memory.dmp	xmrig
behavioral2/memory/4408-126-0x00007FF6A7590000-0x00007FF6A78E4000-memory.dmp	xmrig
behavioral2/memory/1932-127-0x00007FF667D00000-0x00007FF668054000-memory.dmp	xmrig
behavioral2/memory/3988-128-0x00007FF791FB0000-0x00007FF792304000-memory.dmp	xmrig
behavioral2/memory/2820-129-0x00007FF64FF70000-0x00007FF6502C4000-memory.dmp	xmrig
behavioral2/memory/1608-130-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	xmrig
behavioral2/memory/4864-131-0x00007FF689F40000-0x00007FF68A294000-memory.dmp	xmrig
behavioral2/memory/4148-132-0x00007FF7A5D90000-0x00007FF7A60E4000-memory.dmp	xmrig
behavioral2/memory/3452-133-0x00007FF6270D0000-0x00007FF627424000-memory.dmp	xmrig
behavioral2/memory/772-134-0x00007FF6BC420000-0x00007FF6BC774000-memory.dmp	xmrig
behavioral2/memory/2820-135-0x00007FF64FF70000-0x00007FF6502C4000-memory.dmp	xmrig
behavioral2/memory/1608-136-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	xmrig
behavioral2/memory/3880-137-0x00007FF739790000-0x00007FF739AE4000-memory.dmp	xmrig
behavioral2/memory/4864-138-0x00007FF689F40000-0x00007FF68A294000-memory.dmp	xmrig
behavioral2/memory/964-141-0x00007FF6E31D0000-0x00007FF6E3524000-memory.dmp	xmrig
behavioral2/memory/4540-140-0x00007FF6265A0000-0x00007FF6268F4000-memory.dmp	xmrig
behavioral2/memory/2092-139-0x00007FF718D90000-0x00007FF7190E4000-memory.dmp	xmrig
behavioral2/memory/5064-143-0x00007FF799960000-0x00007FF799CB4000-memory.dmp	xmrig
behavioral2/memory/372-145-0x00007FF7DC920000-0x00007FF7DCC74000-memory.dmp	xmrig
behavioral2/memory/2464-144-0x00007FF64FA30000-0x00007FF64FD84000-memory.dmp	xmrig
behavioral2/memory/4480-142-0x00007FF7B3420000-0x00007FF7B3774000-memory.dmp	xmrig
behavioral2/memory/4464-146-0x00007FF795D10000-0x00007FF796064000-memory.dmp	xmrig
behavioral2/memory/4028-147-0x00007FF7D28E0000-0x00007FF7D2C34000-memory.dmp	xmrig
behavioral2/memory/404-148-0x00007FF6A13B0000-0x00007FF6A1704000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4148	mxtOiBP.exe
3452	yDdRgpZ.exe
772	wuGGdDJ.exe
2820	jjrLxki.exe
1608	dhekLgM.exe
4864	GGUUZpM.exe
3880	IqkpJsH.exe
2092	qvzMdTP.exe
964	DyGbTNL.exe
4540	JgXOhes.exe
5064	rCvbcth.exe
4480	eNeCpqQ.exe
372	aQAzqCF.exe
2464	hVDaCeB.exe
4464	FlhOZDg.exe
4028	iLAAbUY.exe
404	NNZpgPB.exe
224	sweehhM.exe
4656	IQKgBTQ.exe
4408	npQlcsA.exe
1932	lRrHIRn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3988-0-0x00007FF791FB0000-0x00007FF792304000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-4.dat	upx
behavioral2/files/0x00080000000233f6-9.dat	upx
behavioral2/memory/4148-13-0x00007FF7A5D90000-0x00007FF7A60E4000-memory.dmp	upx
behavioral2/memory/772-20-0x00007FF6BC420000-0x00007FF6BC774000-memory.dmp	upx
behavioral2/memory/3452-19-0x00007FF6270D0000-0x00007FF627424000-memory.dmp	upx
behavioral2/files/0x00070000000233f7-23.dat	upx
behavioral2/memory/2820-24-0x00007FF64FF70000-0x00007FF6502C4000-memory.dmp	upx
behavioral2/files/0x00080000000233f5-14.dat	upx
behavioral2/files/0x00090000000233e9-32.dat	upx
behavioral2/files/0x00070000000233fa-41.dat	upx
behavioral2/memory/4864-38-0x00007FF689F40000-0x00007FF68A294000-memory.dmp	upx
behavioral2/files/0x00070000000233f8-36.dat	upx
behavioral2/memory/1608-33-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	upx
behavioral2/files/0x00070000000233fb-47.dat	upx
behavioral2/files/0x00070000000233fd-57.dat	upx
behavioral2/files/0x00070000000233fe-64.dat	upx
behavioral2/files/0x00070000000233ff-68.dat	upx
behavioral2/files/0x0007000000023401-76.dat	upx
behavioral2/files/0x0007000000023404-91.dat	upx
behavioral2/files/0x0007000000023408-110.dat	upx
behavioral2/files/0x0007000000023407-111.dat	upx
behavioral2/files/0x0007000000023406-108.dat	upx
behavioral2/files/0x0007000000023405-104.dat	upx
behavioral2/files/0x0007000000023403-94.dat	upx
behavioral2/files/0x0007000000023402-86.dat	upx
behavioral2/files/0x0007000000023400-77.dat	upx
behavioral2/files/0x00070000000233fc-55.dat	upx
behavioral2/memory/2092-51-0x00007FF718D90000-0x00007FF7190E4000-memory.dmp	upx
behavioral2/memory/3880-46-0x00007FF739790000-0x00007FF739AE4000-memory.dmp	upx
behavioral2/memory/964-115-0x00007FF6E31D0000-0x00007FF6E3524000-memory.dmp	upx
behavioral2/memory/4540-116-0x00007FF6265A0000-0x00007FF6268F4000-memory.dmp	upx
behavioral2/memory/5064-117-0x00007FF799960000-0x00007FF799CB4000-memory.dmp	upx
behavioral2/memory/4480-118-0x00007FF7B3420000-0x00007FF7B3774000-memory.dmp	upx
behavioral2/memory/372-119-0x00007FF7DC920000-0x00007FF7DCC74000-memory.dmp	upx
behavioral2/memory/2464-120-0x00007FF64FA30000-0x00007FF64FD84000-memory.dmp	upx
behavioral2/memory/4028-122-0x00007FF7D28E0000-0x00007FF7D2C34000-memory.dmp	upx
behavioral2/memory/4464-121-0x00007FF795D10000-0x00007FF796064000-memory.dmp	upx
behavioral2/memory/404-123-0x00007FF6A13B0000-0x00007FF6A1704000-memory.dmp	upx
behavioral2/memory/4656-125-0x00007FF63C6A0000-0x00007FF63C9F4000-memory.dmp	upx
behavioral2/memory/224-124-0x00007FF74F8D0000-0x00007FF74FC24000-memory.dmp	upx
behavioral2/memory/4408-126-0x00007FF6A7590000-0x00007FF6A78E4000-memory.dmp	upx
behavioral2/memory/1932-127-0x00007FF667D00000-0x00007FF668054000-memory.dmp	upx
behavioral2/memory/3988-128-0x00007FF791FB0000-0x00007FF792304000-memory.dmp	upx
behavioral2/memory/2820-129-0x00007FF64FF70000-0x00007FF6502C4000-memory.dmp	upx
behavioral2/memory/1608-130-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	upx
behavioral2/memory/4864-131-0x00007FF689F40000-0x00007FF68A294000-memory.dmp	upx
behavioral2/memory/4148-132-0x00007FF7A5D90000-0x00007FF7A60E4000-memory.dmp	upx
behavioral2/memory/3452-133-0x00007FF6270D0000-0x00007FF627424000-memory.dmp	upx
behavioral2/memory/772-134-0x00007FF6BC420000-0x00007FF6BC774000-memory.dmp	upx
behavioral2/memory/2820-135-0x00007FF64FF70000-0x00007FF6502C4000-memory.dmp	upx
behavioral2/memory/1608-136-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	upx
behavioral2/memory/3880-137-0x00007FF739790000-0x00007FF739AE4000-memory.dmp	upx
behavioral2/memory/4864-138-0x00007FF689F40000-0x00007FF68A294000-memory.dmp	upx
behavioral2/memory/964-141-0x00007FF6E31D0000-0x00007FF6E3524000-memory.dmp	upx
behavioral2/memory/4540-140-0x00007FF6265A0000-0x00007FF6268F4000-memory.dmp	upx
behavioral2/memory/2092-139-0x00007FF718D90000-0x00007FF7190E4000-memory.dmp	upx
behavioral2/memory/5064-143-0x00007FF799960000-0x00007FF799CB4000-memory.dmp	upx
behavioral2/memory/372-145-0x00007FF7DC920000-0x00007FF7DCC74000-memory.dmp	upx
behavioral2/memory/2464-144-0x00007FF64FA30000-0x00007FF64FD84000-memory.dmp	upx
behavioral2/memory/4480-142-0x00007FF7B3420000-0x00007FF7B3774000-memory.dmp	upx
behavioral2/memory/4464-146-0x00007FF795D10000-0x00007FF796064000-memory.dmp	upx
behavioral2/memory/4028-147-0x00007FF7D28E0000-0x00007FF7D2C34000-memory.dmp	upx
behavioral2/memory/404-148-0x00007FF6A13B0000-0x00007FF6A1704000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\DyGbTNL.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JgXOhes.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eNeCpqQ.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lRrHIRn.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wuGGdDJ.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yDdRgpZ.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jjrLxki.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qvzMdTP.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aQAzqCF.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hVDaCeB.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FlhOZDg.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NNZpgPB.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mxtOiBP.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IQKgBTQ.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GGUUZpM.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iLAAbUY.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sweehhM.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\npQlcsA.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dhekLgM.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rCvbcth.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IqkpJsH.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 4148	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	83
PID 3988 wrote to memory of 4148	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	83
PID 3988 wrote to memory of 3452	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	84
PID 3988 wrote to memory of 3452	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	84
PID 3988 wrote to memory of 772	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	85
PID 3988 wrote to memory of 772	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	85
PID 3988 wrote to memory of 2820	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	86
PID 3988 wrote to memory of 2820	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	86
PID 3988 wrote to memory of 1608	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	87
PID 3988 wrote to memory of 1608	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	87
PID 3988 wrote to memory of 4864	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	88
PID 3988 wrote to memory of 4864	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	88
PID 3988 wrote to memory of 3880	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	89
PID 3988 wrote to memory of 3880	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	89
PID 3988 wrote to memory of 2092	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	90
PID 3988 wrote to memory of 2092	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	90
PID 3988 wrote to memory of 964	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	91
PID 3988 wrote to memory of 964	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	91
PID 3988 wrote to memory of 4540	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	92
PID 3988 wrote to memory of 4540	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	92
PID 3988 wrote to memory of 5064	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	93
PID 3988 wrote to memory of 5064	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	93
PID 3988 wrote to memory of 4480	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	94
PID 3988 wrote to memory of 4480	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	94
PID 3988 wrote to memory of 372	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	95
PID 3988 wrote to memory of 372	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	95
PID 3988 wrote to memory of 2464	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	96
PID 3988 wrote to memory of 2464	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	96
PID 3988 wrote to memory of 4464	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	97
PID 3988 wrote to memory of 4464	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	97
PID 3988 wrote to memory of 4028	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	98
PID 3988 wrote to memory of 4028	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	98
PID 3988 wrote to memory of 404	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	99
PID 3988 wrote to memory of 404	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	99
PID 3988 wrote to memory of 224	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	100
PID 3988 wrote to memory of 224	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	100
PID 3988 wrote to memory of 4656	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	101
PID 3988 wrote to memory of 4656	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	101
PID 3988 wrote to memory of 4408	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	102
PID 3988 wrote to memory of 4408	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	102
PID 3988 wrote to memory of 1932	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	103
PID 3988 wrote to memory of 1932	3988	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\System\mxtOiBP.exe
  C:\Windows\System\mxtOiBP.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\yDdRgpZ.exe
  C:\Windows\System\yDdRgpZ.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System\wuGGdDJ.exe
  C:\Windows\System\wuGGdDJ.exe
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\System\jjrLxki.exe
  C:\Windows\System\jjrLxki.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\dhekLgM.exe
  C:\Windows\System\dhekLgM.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\GGUUZpM.exe
  C:\Windows\System\GGUUZpM.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\IqkpJsH.exe
  C:\Windows\System\IqkpJsH.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System\qvzMdTP.exe
  C:\Windows\System\qvzMdTP.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\DyGbTNL.exe
  C:\Windows\System\DyGbTNL.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\JgXOhes.exe
  C:\Windows\System\JgXOhes.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\rCvbcth.exe
  C:\Windows\System\rCvbcth.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\eNeCpqQ.exe
  C:\Windows\System\eNeCpqQ.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\aQAzqCF.exe
  C:\Windows\System\aQAzqCF.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System\hVDaCeB.exe
  C:\Windows\System\hVDaCeB.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System\FlhOZDg.exe
  C:\Windows\System\FlhOZDg.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\iLAAbUY.exe
  C:\Windows\System\iLAAbUY.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\NNZpgPB.exe
  C:\Windows\System\NNZpgPB.exe
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Windows\System\sweehhM.exe
  C:\Windows\System\sweehhM.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System\IQKgBTQ.exe
  C:\Windows\System\IQKgBTQ.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\npQlcsA.exe
  C:\Windows\System\npQlcsA.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\lRrHIRn.exe
  C:\Windows\System\lRrHIRn.exe
  2⤵
  - Executes dropped EXE
  PID:1932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DyGbTNL.exe

Filesize
5.9MB

MD5
dbfe12372ec2f03d8ec6d7a96b9283c1

SHA1
6ddbd10ffd296f8d1551d824653f5b4e62525cdd

SHA256
53ef67ae037bd5ba9e8bbf87dace29ffbbde828dc26d3ca2358ee857a3224336

SHA512
146f9e26162c43504bcc2fe51354ad4aa2f4987ea4224be087464a15ea18e827ae28e9d770b65b719b68468863b79699900b3943008d662d8c3e59cb24af5b38

Download Submit
C:\Windows\System\FlhOZDg.exe

Filesize
5.9MB

MD5
5f328d855a17fb1f5b505c4d5c885890

SHA1
ae92e54e434bb4d3550ae5dfd10b17d2f8de70e5

SHA256
1ca1f1a496961b6dca6c673888631573c2541c1893bdbe79981bd275b61816c2

SHA512
e4a2e59be1941808a21b297a5c51efed73557dec61c32f3a2cb6cdec256bf0781cb5939a53cf56ddb561f685f85d3c2ff3f6cc27a88da36f6c814c08b7ef1d9a

Download Submit
C:\Windows\System\GGUUZpM.exe

Filesize
5.9MB

MD5
5694a935db4ba6ba96f3cc60d8c607bf

SHA1
556bf249108f314927e420503b2174902120370b

SHA256
7ebfa4057b655ceaad0fbe6d3f50c454661387505296e90328eb39ecce6cb303

SHA512
4be3c174aa6c2d2a547e7d73cac4b197ea5bf1c461d98c0263ce608091f60787f66f9e0720845dc343b5fca1d978637a457f49d6976793d622a372254f97136c

Download Submit
C:\Windows\System\IQKgBTQ.exe

Filesize
5.9MB

MD5
1f345673fb2a33e3b02d2cf6cd884e0e

SHA1
f2c3582d58e66028fe1e013e7552488e44f1e5fa

SHA256
df0731375f245e7f9e03f978847c5bc7317ebf6cd56f728a618ea65f2b9f86cc

SHA512
79df576b63df255456b973d85a054de7564ae0d08f23e45a5054c49aacd100f24146717607cf16bc92cf71f7b618fd9a6123dd3a24bb027b2b90abd2176aa296

Download Submit
C:\Windows\System\IqkpJsH.exe

Filesize
5.9MB

MD5
ddc57f6072d7119520ada84ba3adcf51

SHA1
8c069b7ba5f046dd4913eee25a8422d5bbd2ba39

SHA256
470162f359d8d2b5c3a03a3c0808e8e52272ce56b04146ae037f493403fe7093

SHA512
1719bf5f5f4b74e385a5679453fbcf2bad671ad56010c2aad2eae031e091e6c6f7abfd5999232a0a7d2ce49e5094a200eba4ae46197b5ff9e57c308c09c3643e

Download Submit
C:\Windows\System\JgXOhes.exe

Filesize
5.9MB

MD5
288a35f6b007e43e54f51dbbfcf5a80c

SHA1
7d653491663d33b3d99878ed8e22628031304f8e

SHA256
f1d7f7bbcfbc6a6da0d2a1cf15982f716347a5e9bd2014807b551d742fbecccd

SHA512
3d0f878415757f9654e9593cfbb6ce60aa9c1abc9d6b3ff52808fc92d7657337c60ccb64da7b760125545a5c34d4b05c4dc7062258a0fd115ace04268b5cce00

Download Submit
C:\Windows\System\NNZpgPB.exe

Filesize
5.9MB

MD5
0af3bfa48aa52fff0f609b5d9e1de592

SHA1
2dcb9b017db650584947f8f97af0f18250be06d9

SHA256
9b0f82f30393d16d627f6ec9082d3688056e8848fbe229f93c91aac4e137c3e1

SHA512
9f6ef590b3b6976ab27e95590028aab92b402d4a49163f215822e313664e14228bedf0efa613b4b7e688e25a3ef020072faddf0b369d871796c3831434e2150c

Download Submit
C:\Windows\System\aQAzqCF.exe

Filesize
5.9MB

MD5
82561c640a133f9629af9b99458b8b84

SHA1
289af2ab1f0132029e3e22bdcc0da586a9f1f280

SHA256
6e5d7766dd2ce7e4e7533767e2b8062f4fccdbd90ebac554840be5a09c0815ff

SHA512
d9d08371ef6aa086c5d19d0ae902fc2230547d6051ef27d058782cd4b520c1c520b2f00c50df6939c96689c811d60ef748826a1898e7fef22e37ce1d0e4e95d8

Download Submit
C:\Windows\System\dhekLgM.exe

Filesize
5.9MB

MD5
85418406789ca614e7cb33553d4f4a71

SHA1
ca84068bf41c12f38f85e3964defacfc7b81536c

SHA256
d125680c1fcc20b7a389f0935456db90e77cb47ccaacf0335d1bfcf9678e909d

SHA512
36e5bf1018f679ecb92e2e9e6b35ce178c24793eafe86953cbd2cd13e769ce774d8bdc5f8b6f97e8b7d25035d9348c1606455d2afb07cdb479b6ee95d73467d7

Download Submit
C:\Windows\System\eNeCpqQ.exe

Filesize
5.9MB

MD5
65ca6cda968eef6ba12062792b450da6

SHA1
528a855cb767fecc1608fc7ce119de9fd8eb84e1

SHA256
4e41f5d4e59396a5474170c5443f1df120fd35ce22116bd0df7e7629bd3242ae

SHA512
856f5053935ca0c266a1350a1c73fcc3a6841c3fb1d6e2a8a55ef8b50c399569331883299124bb6ce34873a18ab575f84aabf1c68198ba9b8a9bc2028dff8b38

Download Submit
C:\Windows\System\hVDaCeB.exe

Filesize
5.9MB

MD5
563d8bb0052d5ac4fec6a2f0bd037c7c

SHA1
5e398082b946c20e539d86cc4250e3b32fb87fb6

SHA256
e7f9efefd652017859d81674ffbfa17560cf04a60e6ade215868bbbe755c2c6b

SHA512
efca994eb0c4db6eb71f1ef5ec59f99b68c4174c77d964e227b285d2d08ae75fd02a13ee7e7d622eb8792e1d0e55bf81720ad332eeb2e7b83e9cc4e6eb05627d

Download Submit
C:\Windows\System\iLAAbUY.exe

Filesize
5.9MB

MD5
90ddfa77bbaf1922ec9914719a91c3d0

SHA1
624625e8243cf5c33410831457f11e4510415016

SHA256
8d077a63c9408f89b03c174651c17f622bbac1b2096ff3a7aa6ed58937cfb1ff

SHA512
3cf2bfad832f83b4ae49a05a2f10a67f20690240d1c86680c9ceed88caeea880c8eff05fe2ae47586e14434e7508e05b569b7c78bacef3c74add9c9b80619fad

Download Submit
C:\Windows\System\jjrLxki.exe

Filesize
5.9MB

MD5
359eb2b48d4a82edaa6080fd2be55a1a

SHA1
945071cedf9c42cc2061697f33919bdfd42bace6

SHA256
9c419008798aff7dff05bf5abda9cc0beefd504dd99357fe95aea4f166a225c7

SHA512
483664bd9b4f1c49e524cf2e4db522e199c44f9d919be09365f81b4afb04f9a8d4f29a7a0b93a4572f3e6621a15174916428a363747869a12c65beaf520447aa

Download Submit
C:\Windows\System\lRrHIRn.exe

Filesize
5.9MB

MD5
b67e8fc35e16703138b7a078a5c4f1b2

SHA1
994ef3a14f546a898bf8c0e37f38638b553e8aee

SHA256
984dafaaf8642a859d7cb7039f8ba5461cb1722fa6c7724753b7ae97fb3db896

SHA512
6561b9580e0bb26853ba8950d38804eeb11ab609c0d2d9edfb918bf32b41cc7b6abfdbe28c79af8fe501cdd4a1397f6ea119769d9b594513143624ae1a2d5d07

Download Submit
C:\Windows\System\mxtOiBP.exe

Filesize
5.9MB

MD5
8d583ec70b820b7796d69a3e4b513050

SHA1
ffe832943d97612f16617141ddfea24b496118ad

SHA256
c13815b074d5c2e5b3d1461303638e010efee25f4a2301f85ca5e8c5c5ecff7c

SHA512
6bb943ec989860c5dc7b839e3cb213976e7cd19d6c567b63f43e25b1c659c4e4a0174bfea526e657224d4f6ee248478a1069438b5ff77775499200f7b3297111

Download Submit
C:\Windows\System\npQlcsA.exe

Filesize
5.9MB

MD5
afd5eb129752c3245256180e846a53fe

SHA1
11112eb88905159c86d4bae0a692d4006f56afbc

SHA256
d365c23b6d38ed8f40f2f87f7b13306f435981e02800d67ce0065f6ae5c482a9

SHA512
51d7996ef8fe6f639736f84d20d40c33921de17ba77eee21ec47b8a6ade49aebb9c8b4c08cb4efe6f8d9794fcfd5253911de5bd6fca77879de99560c358b1d15

Download Submit
C:\Windows\System\qvzMdTP.exe

Filesize
5.9MB

MD5
ba9529611b6fd61560a5883e745e0012

SHA1
43e6dcad8760abf29d572a34f8ec40d8c1de6711

SHA256
cf7f569c981a9f1f9b3b0984ca2ec73120c70e1cfd3c234bb4bddea559a75f24

SHA512
ac4d5274de4e99b4b2cad014db17dd5bacad19e05d6c56b579b3503b74749e0eb5b9089dc5583936395e3b875732e25f3e8af2aa633b0f85943614545192fdea

Download Submit
C:\Windows\System\rCvbcth.exe

Filesize
5.9MB

MD5
e3a01e0a007c47775af3b90fb5942dda

SHA1
c4b09bd8704340087c47848cc74f3d086f2f9760

SHA256
fb1e30d2d4e418d2b1c820fa50dcc2f4780d535b92245179b5decfd1ce0da236

SHA512
fea0e9e155003f907f23f741cad57db982e72b47e569bba8de1dfe128ec45729e5598863aebb397fc0fa2bc5e93eae7a0959b06131ace651ddcc88af0df6e93f

Download Submit
C:\Windows\System\sweehhM.exe

Filesize
5.9MB

MD5
b7e0701648264658e1a0237390da56c1

SHA1
310a8bd5e1530c4ee7c886cd452b5242fb14e177

SHA256
a93dd0632211d732d4fed3e371fbca71a22e5351868fb2ab87fb3aa2971f3e1a

SHA512
5412b95b752d466b2e4b3d45eb74220fad69fbc7b6dbd55df9eb2eb4f0973f05a1afee0cdcc7917c3a0cd67f4ade25272719975a32ad19922c420fd8d126ebb1

Download Submit
C:\Windows\System\wuGGdDJ.exe

Filesize
5.9MB

MD5
4d67193612bcf7ece097514330ee0d87

SHA1
dcadf46fe573341197ee87d0ec726a53dd443340

SHA256
d7672fd4225cba400f1f1b9f64c867a3aea85f90307ffcf959ae5c36a156b527

SHA512
e09a35f4a9ec81ffb40fe4da56b51471c063d8513025d66e61e25416042a1b3f33d223b796afa510b508ea093c4cbfec1d9612ba7711272bd67215bdaded86d9

Download Submit
C:\Windows\System\yDdRgpZ.exe

Filesize
5.9MB

MD5
a3825f53ae43770348a6c5f2abe11a6c

SHA1
20fb6dd3d7be8782acaaabe37c6493185d302000

SHA256
2041bc03f65a66976ab7e735925ddcc9849131edfe3b26d4bf645ade0397dd6d

SHA512
7eb4b83be97325b0282bc65c1330362b221a560dfe6956b0c7e9adbbca4dcd3deb621f8f9e2da7659dab64d236ba1402ca7c12063ca2815b52823965e4778303

Download Submit
memory/224-124-0x00007FF74F8D0000-0x00007FF74FC24000-memory.dmp

Filesize
3.3MB

Download
memory/224-149-0x00007FF74F8D0000-0x00007FF74FC24000-memory.dmp

Filesize
3.3MB

Download
memory/372-145-0x00007FF7DC920000-0x00007FF7DCC74000-memory.dmp

Filesize
3.3MB

Download
memory/372-119-0x00007FF7DC920000-0x00007FF7DCC74000-memory.dmp

Filesize
3.3MB

Download
memory/404-148-0x00007FF6A13B0000-0x00007FF6A1704000-memory.dmp

Filesize
3.3MB

Download
memory/404-123-0x00007FF6A13B0000-0x00007FF6A1704000-memory.dmp

Filesize
3.3MB

Download
memory/772-20-0x00007FF6BC420000-0x00007FF6BC774000-memory.dmp

Filesize
3.3MB

Download
memory/772-134-0x00007FF6BC420000-0x00007FF6BC774000-memory.dmp

Filesize
3.3MB

Download
memory/964-115-0x00007FF6E31D0000-0x00007FF6E3524000-memory.dmp

Filesize
3.3MB

Download
memory/964-141-0x00007FF6E31D0000-0x00007FF6E3524000-memory.dmp

Filesize
3.3MB

Download
memory/1608-136-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp

Filesize
3.3MB

Download
memory/1608-130-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp

Filesize
3.3MB

Download
memory/1608-33-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp

Filesize
3.3MB

Download
memory/1932-127-0x00007FF667D00000-0x00007FF668054000-memory.dmp

Filesize
3.3MB

Download
memory/1932-151-0x00007FF667D00000-0x00007FF668054000-memory.dmp

Filesize
3.3MB

Download
memory/2092-139-0x00007FF718D90000-0x00007FF7190E4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-51-0x00007FF718D90000-0x00007FF7190E4000-memory.dmp

Filesize
3.3MB

Download
memory/2464-144-0x00007FF64FA30000-0x00007FF64FD84000-memory.dmp

Filesize
3.3MB

Download
memory/2464-120-0x00007FF64FA30000-0x00007FF64FD84000-memory.dmp

Filesize
3.3MB

Download
memory/2820-24-0x00007FF64FF70000-0x00007FF6502C4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-135-0x00007FF64FF70000-0x00007FF6502C4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-129-0x00007FF64FF70000-0x00007FF6502C4000-memory.dmp

Filesize
3.3MB

Download
memory/3452-19-0x00007FF6270D0000-0x00007FF627424000-memory.dmp

Filesize
3.3MB

Download
memory/3452-133-0x00007FF6270D0000-0x00007FF627424000-memory.dmp

Filesize
3.3MB

Download
memory/3880-46-0x00007FF739790000-0x00007FF739AE4000-memory.dmp

Filesize
3.3MB

Download
memory/3880-137-0x00007FF739790000-0x00007FF739AE4000-memory.dmp

Filesize
3.3MB

Download
memory/3988-128-0x00007FF791FB0000-0x00007FF792304000-memory.dmp

Filesize
3.3MB

Download
memory/3988-1-0x0000018210210000-0x0000018210220000-memory.dmp

Filesize
64KB

Download
memory/3988-0-0x00007FF791FB0000-0x00007FF792304000-memory.dmp

Filesize
3.3MB

Download
memory/4028-147-0x00007FF7D28E0000-0x00007FF7D2C34000-memory.dmp

Filesize
3.3MB

Download
memory/4028-122-0x00007FF7D28E0000-0x00007FF7D2C34000-memory.dmp

Filesize
3.3MB

Download
memory/4148-132-0x00007FF7A5D90000-0x00007FF7A60E4000-memory.dmp

Filesize
3.3MB

Download
memory/4148-13-0x00007FF7A5D90000-0x00007FF7A60E4000-memory.dmp

Filesize
3.3MB

Download
memory/4408-150-0x00007FF6A7590000-0x00007FF6A78E4000-memory.dmp

Filesize
3.3MB

Download
memory/4408-126-0x00007FF6A7590000-0x00007FF6A78E4000-memory.dmp

Filesize
3.3MB

Download
memory/4464-121-0x00007FF795D10000-0x00007FF796064000-memory.dmp

Filesize
3.3MB

Download
memory/4464-146-0x00007FF795D10000-0x00007FF796064000-memory.dmp

Filesize
3.3MB

Download
memory/4480-118-0x00007FF7B3420000-0x00007FF7B3774000-memory.dmp

Filesize
3.3MB

Download
memory/4480-142-0x00007FF7B3420000-0x00007FF7B3774000-memory.dmp

Filesize
3.3MB

Download
memory/4540-140-0x00007FF6265A0000-0x00007FF6268F4000-memory.dmp

Filesize
3.3MB

Download
memory/4540-116-0x00007FF6265A0000-0x00007FF6268F4000-memory.dmp

Filesize
3.3MB

Download
memory/4656-125-0x00007FF63C6A0000-0x00007FF63C9F4000-memory.dmp

Filesize
3.3MB

Download
memory/4656-152-0x00007FF63C6A0000-0x00007FF63C9F4000-memory.dmp

Filesize
3.3MB

Download
memory/4864-138-0x00007FF689F40000-0x00007FF68A294000-memory.dmp

Filesize
3.3MB

Download
memory/4864-38-0x00007FF689F40000-0x00007FF68A294000-memory.dmp

Filesize
3.3MB

Download
memory/4864-131-0x00007FF689F40000-0x00007FF68A294000-memory.dmp

Filesize
3.3MB

Download
memory/5064-143-0x00007FF799960000-0x00007FF799CB4000-memory.dmp

Filesize
3.3MB

Download
memory/5064-117-0x00007FF799960000-0x00007FF799CB4000-memory.dmp

Filesize
3.3MB

Download