cobaltstrike | 52d752e3cc30846183834db469e1a10fc0f6a4eadc2067beb56b2a1eb6bedfdb

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

a0ed2bc68870deef7158d26cc205fe30
SHA1

02f128b87e20442f0c9607154c85b84519543d2c
SHA256

52d752e3cc30846183834db469e1a10fc0f6a4eadc2067beb56b2a1eb6bedfdb
SHA512

2e94ee73408be4f5f7fe1ee0a2c9f94a664c95db60090b761f37741f548c64eae762f59d3caff383f925a5bf1e698182b400db9895a30bfe9fde5b8bbdccdeb8
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUv:Q+856utgpPF8u/7v

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000233bb-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233bf-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c0-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c2-27.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c1-31.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c3-35.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c4-39.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c5-47.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c6-51.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233bc-58.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cb-74.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cd-86.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cf-94.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d1-98.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233d0-97.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ce-90.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233cc-79.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ca-73.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c9-70.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c8-66.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233c7-62.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233bb-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233bf-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c0-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c2-27.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c1-31.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c3-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c4-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c5-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c6-51.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00080000000233bc-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233cb-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233cd-86.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233cf-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d1-98.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233d0-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233ce-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233cc-79.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233ca-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c9-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c8-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233c7-62.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/2892-0-0x00007FF60F310000-0x00007FF60F664000-memory.dmp	UPX
behavioral2/files/0x00080000000233bb-5.dat	UPX
behavioral2/memory/4520-6-0x00007FF610760000-0x00007FF610AB4000-memory.dmp	UPX
behavioral2/files/0x00070000000233bf-10.dat	UPX
behavioral2/files/0x00070000000233c0-11.dat	UPX
behavioral2/files/0x00070000000233c2-27.dat	UPX
behavioral2/files/0x00070000000233c1-31.dat	UPX
behavioral2/files/0x00070000000233c3-35.dat	UPX
behavioral2/files/0x00070000000233c4-39.dat	UPX
behavioral2/files/0x00070000000233c5-47.dat	UPX
behavioral2/files/0x00070000000233c6-51.dat	UPX
behavioral2/files/0x00080000000233bc-58.dat	UPX
behavioral2/files/0x00070000000233cb-74.dat	UPX
behavioral2/files/0x00070000000233cd-86.dat	UPX
behavioral2/files/0x00070000000233cf-94.dat	UPX
behavioral2/files/0x00070000000233d1-98.dat	UPX
behavioral2/files/0x00070000000233d0-97.dat	UPX
behavioral2/files/0x00070000000233ce-90.dat	UPX
behavioral2/files/0x00070000000233cc-79.dat	UPX
behavioral2/files/0x00070000000233ca-73.dat	UPX
behavioral2/files/0x00070000000233c9-70.dat	UPX
behavioral2/files/0x00070000000233c8-66.dat	UPX
behavioral2/files/0x00070000000233c7-62.dat	UPX
behavioral2/memory/3416-44-0x00007FF7DBCF0000-0x00007FF7DC044000-memory.dmp	UPX
behavioral2/memory/4884-41-0x00007FF6CFD60000-0x00007FF6D00B4000-memory.dmp	UPX
behavioral2/memory/4068-36-0x00007FF737E80000-0x00007FF7381D4000-memory.dmp	UPX
behavioral2/memory/1392-26-0x00007FF700D30000-0x00007FF701084000-memory.dmp	UPX
behavioral2/memory/1772-23-0x00007FF709150000-0x00007FF7094A4000-memory.dmp	UPX
behavioral2/memory/2396-14-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp	UPX
behavioral2/memory/3280-114-0x00007FF741670000-0x00007FF7419C4000-memory.dmp	UPX
behavioral2/memory/1804-115-0x00007FF7F70A0000-0x00007FF7F73F4000-memory.dmp	UPX
behavioral2/memory/2560-116-0x00007FF640EC0000-0x00007FF641214000-memory.dmp	UPX
behavioral2/memory/4992-117-0x00007FF7C3160000-0x00007FF7C34B4000-memory.dmp	UPX
behavioral2/memory/2796-119-0x00007FF701F90000-0x00007FF7022E4000-memory.dmp	UPX
behavioral2/memory/3348-118-0x00007FF7D2290000-0x00007FF7D25E4000-memory.dmp	UPX
behavioral2/memory/1748-122-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp	UPX
behavioral2/memory/1456-121-0x00007FF765EB0000-0x00007FF766204000-memory.dmp	UPX
behavioral2/memory/428-123-0x00007FF648580000-0x00007FF6488D4000-memory.dmp	UPX
behavioral2/memory/1664-125-0x00007FF702270000-0x00007FF7025C4000-memory.dmp	UPX
behavioral2/memory/3424-127-0x00007FF6553F0000-0x00007FF655744000-memory.dmp	UPX
behavioral2/memory/2196-126-0x00007FF6ECC50000-0x00007FF6ECFA4000-memory.dmp	UPX
behavioral2/memory/1480-124-0x00007FF7E9CF0000-0x00007FF7EA044000-memory.dmp	UPX
behavioral2/memory/4924-120-0x00007FF6CD750000-0x00007FF6CDAA4000-memory.dmp	UPX
behavioral2/memory/2892-128-0x00007FF60F310000-0x00007FF60F664000-memory.dmp	UPX
behavioral2/memory/4520-129-0x00007FF610760000-0x00007FF610AB4000-memory.dmp	UPX
behavioral2/memory/2396-130-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp	UPX
behavioral2/memory/1772-131-0x00007FF709150000-0x00007FF7094A4000-memory.dmp	UPX
behavioral2/memory/1392-132-0x00007FF700D30000-0x00007FF701084000-memory.dmp	UPX
behavioral2/memory/4068-133-0x00007FF737E80000-0x00007FF7381D4000-memory.dmp	UPX
behavioral2/memory/4884-134-0x00007FF6CFD60000-0x00007FF6D00B4000-memory.dmp	UPX
behavioral2/memory/3416-135-0x00007FF7DBCF0000-0x00007FF7DC044000-memory.dmp	UPX
behavioral2/memory/4520-136-0x00007FF610760000-0x00007FF610AB4000-memory.dmp	UPX
behavioral2/memory/2396-137-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp	UPX
behavioral2/memory/1772-138-0x00007FF709150000-0x00007FF7094A4000-memory.dmp	UPX
behavioral2/memory/4068-139-0x00007FF737E80000-0x00007FF7381D4000-memory.dmp	UPX
behavioral2/memory/1392-140-0x00007FF700D30000-0x00007FF701084000-memory.dmp	UPX
behavioral2/memory/4884-141-0x00007FF6CFD60000-0x00007FF6D00B4000-memory.dmp	UPX
behavioral2/memory/2196-142-0x00007FF6ECC50000-0x00007FF6ECFA4000-memory.dmp	UPX
behavioral2/memory/3424-143-0x00007FF6553F0000-0x00007FF655744000-memory.dmp	UPX
behavioral2/memory/1748-147-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp	UPX
behavioral2/memory/428-151-0x00007FF648580000-0x00007FF6488D4000-memory.dmp	UPX
behavioral2/memory/2796-153-0x00007FF701F90000-0x00007FF7022E4000-memory.dmp	UPX
behavioral2/memory/3348-155-0x00007FF7D2290000-0x00007FF7D25E4000-memory.dmp	UPX
behavioral2/memory/1664-154-0x00007FF702270000-0x00007FF7025C4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2892-0-0x00007FF60F310000-0x00007FF60F664000-memory.dmp	xmrig
behavioral2/files/0x00080000000233bb-5.dat	xmrig
behavioral2/memory/4520-6-0x00007FF610760000-0x00007FF610AB4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233bf-10.dat	xmrig
behavioral2/files/0x00070000000233c0-11.dat	xmrig
behavioral2/files/0x00070000000233c2-27.dat	xmrig
behavioral2/files/0x00070000000233c1-31.dat	xmrig
behavioral2/files/0x00070000000233c3-35.dat	xmrig
behavioral2/files/0x00070000000233c4-39.dat	xmrig
behavioral2/files/0x00070000000233c5-47.dat	xmrig
behavioral2/files/0x00070000000233c6-51.dat	xmrig
behavioral2/files/0x00080000000233bc-58.dat	xmrig
behavioral2/files/0x00070000000233cb-74.dat	xmrig
behavioral2/files/0x00070000000233cd-86.dat	xmrig
behavioral2/files/0x00070000000233cf-94.dat	xmrig
behavioral2/files/0x00070000000233d1-98.dat	xmrig
behavioral2/files/0x00070000000233d0-97.dat	xmrig
behavioral2/files/0x00070000000233ce-90.dat	xmrig
behavioral2/files/0x00070000000233cc-79.dat	xmrig
behavioral2/files/0x00070000000233ca-73.dat	xmrig
behavioral2/files/0x00070000000233c9-70.dat	xmrig
behavioral2/files/0x00070000000233c8-66.dat	xmrig
behavioral2/files/0x00070000000233c7-62.dat	xmrig
behavioral2/memory/3416-44-0x00007FF7DBCF0000-0x00007FF7DC044000-memory.dmp	xmrig
behavioral2/memory/4884-41-0x00007FF6CFD60000-0x00007FF6D00B4000-memory.dmp	xmrig
behavioral2/memory/4068-36-0x00007FF737E80000-0x00007FF7381D4000-memory.dmp	xmrig
behavioral2/memory/1392-26-0x00007FF700D30000-0x00007FF701084000-memory.dmp	xmrig
behavioral2/memory/1772-23-0x00007FF709150000-0x00007FF7094A4000-memory.dmp	xmrig
behavioral2/memory/2396-14-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp	xmrig
behavioral2/memory/3280-114-0x00007FF741670000-0x00007FF7419C4000-memory.dmp	xmrig
behavioral2/memory/1804-115-0x00007FF7F70A0000-0x00007FF7F73F4000-memory.dmp	xmrig
behavioral2/memory/2560-116-0x00007FF640EC0000-0x00007FF641214000-memory.dmp	xmrig
behavioral2/memory/4992-117-0x00007FF7C3160000-0x00007FF7C34B4000-memory.dmp	xmrig
behavioral2/memory/2796-119-0x00007FF701F90000-0x00007FF7022E4000-memory.dmp	xmrig
behavioral2/memory/3348-118-0x00007FF7D2290000-0x00007FF7D25E4000-memory.dmp	xmrig
behavioral2/memory/1748-122-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp	xmrig
behavioral2/memory/1456-121-0x00007FF765EB0000-0x00007FF766204000-memory.dmp	xmrig
behavioral2/memory/428-123-0x00007FF648580000-0x00007FF6488D4000-memory.dmp	xmrig
behavioral2/memory/1664-125-0x00007FF702270000-0x00007FF7025C4000-memory.dmp	xmrig
behavioral2/memory/3424-127-0x00007FF6553F0000-0x00007FF655744000-memory.dmp	xmrig
behavioral2/memory/2196-126-0x00007FF6ECC50000-0x00007FF6ECFA4000-memory.dmp	xmrig
behavioral2/memory/1480-124-0x00007FF7E9CF0000-0x00007FF7EA044000-memory.dmp	xmrig
behavioral2/memory/4924-120-0x00007FF6CD750000-0x00007FF6CDAA4000-memory.dmp	xmrig
behavioral2/memory/2892-128-0x00007FF60F310000-0x00007FF60F664000-memory.dmp	xmrig
behavioral2/memory/4520-129-0x00007FF610760000-0x00007FF610AB4000-memory.dmp	xmrig
behavioral2/memory/2396-130-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp	xmrig
behavioral2/memory/1772-131-0x00007FF709150000-0x00007FF7094A4000-memory.dmp	xmrig
behavioral2/memory/1392-132-0x00007FF700D30000-0x00007FF701084000-memory.dmp	xmrig
behavioral2/memory/4068-133-0x00007FF737E80000-0x00007FF7381D4000-memory.dmp	xmrig
behavioral2/memory/4884-134-0x00007FF6CFD60000-0x00007FF6D00B4000-memory.dmp	xmrig
behavioral2/memory/3416-135-0x00007FF7DBCF0000-0x00007FF7DC044000-memory.dmp	xmrig
behavioral2/memory/4520-136-0x00007FF610760000-0x00007FF610AB4000-memory.dmp	xmrig
behavioral2/memory/2396-137-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp	xmrig
behavioral2/memory/1772-138-0x00007FF709150000-0x00007FF7094A4000-memory.dmp	xmrig
behavioral2/memory/4068-139-0x00007FF737E80000-0x00007FF7381D4000-memory.dmp	xmrig
behavioral2/memory/1392-140-0x00007FF700D30000-0x00007FF701084000-memory.dmp	xmrig
behavioral2/memory/4884-141-0x00007FF6CFD60000-0x00007FF6D00B4000-memory.dmp	xmrig
behavioral2/memory/2196-142-0x00007FF6ECC50000-0x00007FF6ECFA4000-memory.dmp	xmrig
behavioral2/memory/3424-143-0x00007FF6553F0000-0x00007FF655744000-memory.dmp	xmrig
behavioral2/memory/1748-147-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp	xmrig
behavioral2/memory/428-151-0x00007FF648580000-0x00007FF6488D4000-memory.dmp	xmrig
behavioral2/memory/2796-153-0x00007FF701F90000-0x00007FF7022E4000-memory.dmp	xmrig
behavioral2/memory/3348-155-0x00007FF7D2290000-0x00007FF7D25E4000-memory.dmp	xmrig
behavioral2/memory/1664-154-0x00007FF702270000-0x00007FF7025C4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4520	pgbRewj.exe
2396	KaAMRaQ.exe
1772	omvStZN.exe
1392	GIZYKSK.exe
4068	aFrRzFd.exe
4884	UITzghP.exe
3416	JIdESTf.exe
3280	LWbnbtM.exe
1804	nupVneN.exe
2560	vRFTJeU.exe
4992	pkYfCKW.exe
3348	VTSRyvR.exe
2796	gLJmSLT.exe
4924	oCWrCbv.exe
1456	dWGlZjU.exe
1748	TTkZCbj.exe
428	ruNXrNi.exe
1480	BXMjfLH.exe
1664	CwACKZE.exe
2196	GSWBWFF.exe
3424	NgEOFZt.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2892-0-0x00007FF60F310000-0x00007FF60F664000-memory.dmp	upx
behavioral2/files/0x00080000000233bb-5.dat	upx
behavioral2/memory/4520-6-0x00007FF610760000-0x00007FF610AB4000-memory.dmp	upx
behavioral2/files/0x00070000000233bf-10.dat	upx
behavioral2/files/0x00070000000233c0-11.dat	upx
behavioral2/files/0x00070000000233c2-27.dat	upx
behavioral2/files/0x00070000000233c1-31.dat	upx
behavioral2/files/0x00070000000233c3-35.dat	upx
behavioral2/files/0x00070000000233c4-39.dat	upx
behavioral2/files/0x00070000000233c5-47.dat	upx
behavioral2/files/0x00070000000233c6-51.dat	upx
behavioral2/files/0x00080000000233bc-58.dat	upx
behavioral2/files/0x00070000000233cb-74.dat	upx
behavioral2/files/0x00070000000233cd-86.dat	upx
behavioral2/files/0x00070000000233cf-94.dat	upx
behavioral2/files/0x00070000000233d1-98.dat	upx
behavioral2/files/0x00070000000233d0-97.dat	upx
behavioral2/files/0x00070000000233ce-90.dat	upx
behavioral2/files/0x00070000000233cc-79.dat	upx
behavioral2/files/0x00070000000233ca-73.dat	upx
behavioral2/files/0x00070000000233c9-70.dat	upx
behavioral2/files/0x00070000000233c8-66.dat	upx
behavioral2/files/0x00070000000233c7-62.dat	upx
behavioral2/memory/3416-44-0x00007FF7DBCF0000-0x00007FF7DC044000-memory.dmp	upx
behavioral2/memory/4884-41-0x00007FF6CFD60000-0x00007FF6D00B4000-memory.dmp	upx
behavioral2/memory/4068-36-0x00007FF737E80000-0x00007FF7381D4000-memory.dmp	upx
behavioral2/memory/1392-26-0x00007FF700D30000-0x00007FF701084000-memory.dmp	upx
behavioral2/memory/1772-23-0x00007FF709150000-0x00007FF7094A4000-memory.dmp	upx
behavioral2/memory/2396-14-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp	upx
behavioral2/memory/3280-114-0x00007FF741670000-0x00007FF7419C4000-memory.dmp	upx
behavioral2/memory/1804-115-0x00007FF7F70A0000-0x00007FF7F73F4000-memory.dmp	upx
behavioral2/memory/2560-116-0x00007FF640EC0000-0x00007FF641214000-memory.dmp	upx
behavioral2/memory/4992-117-0x00007FF7C3160000-0x00007FF7C34B4000-memory.dmp	upx
behavioral2/memory/2796-119-0x00007FF701F90000-0x00007FF7022E4000-memory.dmp	upx
behavioral2/memory/3348-118-0x00007FF7D2290000-0x00007FF7D25E4000-memory.dmp	upx
behavioral2/memory/1748-122-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp	upx
behavioral2/memory/1456-121-0x00007FF765EB0000-0x00007FF766204000-memory.dmp	upx
behavioral2/memory/428-123-0x00007FF648580000-0x00007FF6488D4000-memory.dmp	upx
behavioral2/memory/1664-125-0x00007FF702270000-0x00007FF7025C4000-memory.dmp	upx
behavioral2/memory/3424-127-0x00007FF6553F0000-0x00007FF655744000-memory.dmp	upx
behavioral2/memory/2196-126-0x00007FF6ECC50000-0x00007FF6ECFA4000-memory.dmp	upx
behavioral2/memory/1480-124-0x00007FF7E9CF0000-0x00007FF7EA044000-memory.dmp	upx
behavioral2/memory/4924-120-0x00007FF6CD750000-0x00007FF6CDAA4000-memory.dmp	upx
behavioral2/memory/2892-128-0x00007FF60F310000-0x00007FF60F664000-memory.dmp	upx
behavioral2/memory/4520-129-0x00007FF610760000-0x00007FF610AB4000-memory.dmp	upx
behavioral2/memory/2396-130-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp	upx
behavioral2/memory/1772-131-0x00007FF709150000-0x00007FF7094A4000-memory.dmp	upx
behavioral2/memory/1392-132-0x00007FF700D30000-0x00007FF701084000-memory.dmp	upx
behavioral2/memory/4068-133-0x00007FF737E80000-0x00007FF7381D4000-memory.dmp	upx
behavioral2/memory/4884-134-0x00007FF6CFD60000-0x00007FF6D00B4000-memory.dmp	upx
behavioral2/memory/3416-135-0x00007FF7DBCF0000-0x00007FF7DC044000-memory.dmp	upx
behavioral2/memory/4520-136-0x00007FF610760000-0x00007FF610AB4000-memory.dmp	upx
behavioral2/memory/2396-137-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp	upx
behavioral2/memory/1772-138-0x00007FF709150000-0x00007FF7094A4000-memory.dmp	upx
behavioral2/memory/4068-139-0x00007FF737E80000-0x00007FF7381D4000-memory.dmp	upx
behavioral2/memory/1392-140-0x00007FF700D30000-0x00007FF701084000-memory.dmp	upx
behavioral2/memory/4884-141-0x00007FF6CFD60000-0x00007FF6D00B4000-memory.dmp	upx
behavioral2/memory/2196-142-0x00007FF6ECC50000-0x00007FF6ECFA4000-memory.dmp	upx
behavioral2/memory/3424-143-0x00007FF6553F0000-0x00007FF655744000-memory.dmp	upx
behavioral2/memory/1748-147-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp	upx
behavioral2/memory/428-151-0x00007FF648580000-0x00007FF6488D4000-memory.dmp	upx
behavioral2/memory/2796-153-0x00007FF701F90000-0x00007FF7022E4000-memory.dmp	upx
behavioral2/memory/3348-155-0x00007FF7D2290000-0x00007FF7D25E4000-memory.dmp	upx
behavioral2/memory/1664-154-0x00007FF702270000-0x00007FF7025C4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\KaAMRaQ.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\omvStZN.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UITzghP.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dWGlZjU.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TTkZCbj.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GIZYKSK.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aFrRzFd.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nupVneN.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VTSRyvR.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oCWrCbv.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CwACKZE.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NgEOFZt.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gLJmSLT.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ruNXrNi.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BXMjfLH.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pgbRewj.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JIdESTf.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LWbnbtM.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vRFTJeU.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pkYfCKW.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GSWBWFF.exe	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 4520	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	83
PID 2892 wrote to memory of 4520	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	83
PID 2892 wrote to memory of 2396	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	84
PID 2892 wrote to memory of 2396	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	84
PID 2892 wrote to memory of 1772	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	85
PID 2892 wrote to memory of 1772	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	85
PID 2892 wrote to memory of 1392	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	86
PID 2892 wrote to memory of 1392	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	86
PID 2892 wrote to memory of 4068	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	87
PID 2892 wrote to memory of 4068	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	87
PID 2892 wrote to memory of 4884	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	88
PID 2892 wrote to memory of 4884	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	88
PID 2892 wrote to memory of 3416	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	89
PID 2892 wrote to memory of 3416	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	89
PID 2892 wrote to memory of 3280	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	90
PID 2892 wrote to memory of 3280	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	90
PID 2892 wrote to memory of 1804	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	91
PID 2892 wrote to memory of 1804	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	91
PID 2892 wrote to memory of 2560	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	92
PID 2892 wrote to memory of 2560	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	92
PID 2892 wrote to memory of 4992	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	93
PID 2892 wrote to memory of 4992	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	93
PID 2892 wrote to memory of 3348	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	94
PID 2892 wrote to memory of 3348	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	94
PID 2892 wrote to memory of 2796	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	95
PID 2892 wrote to memory of 2796	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	95
PID 2892 wrote to memory of 4924	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	96
PID 2892 wrote to memory of 4924	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	96
PID 2892 wrote to memory of 1456	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	97
PID 2892 wrote to memory of 1456	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	97
PID 2892 wrote to memory of 1748	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	98
PID 2892 wrote to memory of 1748	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	98
PID 2892 wrote to memory of 428	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	99
PID 2892 wrote to memory of 428	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	99
PID 2892 wrote to memory of 1480	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	100
PID 2892 wrote to memory of 1480	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	100
PID 2892 wrote to memory of 1664	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	101
PID 2892 wrote to memory of 1664	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	101
PID 2892 wrote to memory of 2196	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	102
PID 2892 wrote to memory of 2196	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	102
PID 2892 wrote to memory of 3424	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	103
PID 2892 wrote to memory of 3424	2892	2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_a0ed2bc68870deef7158d26cc205fe30_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\System\pgbRewj.exe
  C:\Windows\System\pgbRewj.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\KaAMRaQ.exe
  C:\Windows\System\KaAMRaQ.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\omvStZN.exe
  C:\Windows\System\omvStZN.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System\GIZYKSK.exe
  C:\Windows\System\GIZYKSK.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\aFrRzFd.exe
  C:\Windows\System\aFrRzFd.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\UITzghP.exe
  C:\Windows\System\UITzghP.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\JIdESTf.exe
  C:\Windows\System\JIdESTf.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System\LWbnbtM.exe
  C:\Windows\System\LWbnbtM.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System\nupVneN.exe
  C:\Windows\System\nupVneN.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\vRFTJeU.exe
  C:\Windows\System\vRFTJeU.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\pkYfCKW.exe
  C:\Windows\System\pkYfCKW.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\VTSRyvR.exe
  C:\Windows\System\VTSRyvR.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System\gLJmSLT.exe
  C:\Windows\System\gLJmSLT.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\oCWrCbv.exe
  C:\Windows\System\oCWrCbv.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\dWGlZjU.exe
  C:\Windows\System\dWGlZjU.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System\TTkZCbj.exe
  C:\Windows\System\TTkZCbj.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\ruNXrNi.exe
  C:\Windows\System\ruNXrNi.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System\BXMjfLH.exe
  C:\Windows\System\BXMjfLH.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\CwACKZE.exe
  C:\Windows\System\CwACKZE.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\GSWBWFF.exe
  C:\Windows\System\GSWBWFF.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\NgEOFZt.exe
  C:\Windows\System\NgEOFZt.exe
  2⤵
  - Executes dropped EXE
  PID:3424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BXMjfLH.exe

Filesize
5.9MB

MD5
4c9f98dddd9f69e1c0cdf010d4bd26bf

SHA1
a512f9543ba9eb1dfdc0e3e127c8bac308d7e31a

SHA256
dff48db83104391430c1d17cc59f9bf4086c294921476655dca9f71bb3c0cec1

SHA512
5c16d1dc446b5e24ec4931b5963260321b836d5b662082b051352835e82f4bf4ddad7cfddd6aa436fe9447fa68cbefd47c200636e1dd5dd434c4759a54cf5764

Download Submit
C:\Windows\System\CwACKZE.exe

Filesize
5.9MB

MD5
f680f5b09d6458fadc7449473178cac4

SHA1
8b2df0cbd907742dd870954f4eba01e51331e8c2

SHA256
944a77a5518d87f577f3fa86390c2dde515018bf39d8ea7bee502c5dc74b8938

SHA512
6293976f764f1069105659bc5b1091d06d430e2fb52ffc6d1a4148a471b1e33bd5b07dd83d2167055e411a2e3c2331629508cf19e8760a5592fd2c8432649b0a

Download Submit
C:\Windows\System\GIZYKSK.exe

Filesize
5.9MB

MD5
bcebfd4712f9ba6458874cc928193142

SHA1
43642a4c663364619e73a51dd4ef79028ae0636b

SHA256
5937d00ed590ff19d77ef318b8eec8a3672ec9b66bc53a80eee0a751848c1685

SHA512
e6deaf11a319ab73a0950372e34766157b79f736583c4237000a59e0054cc01613dbb1f280d4e17e3bf22dbb77b08408775064909d3a1dacaf4b103dcae36d86

Download Submit
C:\Windows\System\GSWBWFF.exe

Filesize
5.9MB

MD5
f51061b41003f647e8e484aa1fcc9555

SHA1
8fbecbcfdfe5699449c3cd29105bab53f73a3a80

SHA256
eb2d223d0fc6e0e4b500f4e91fc448f8517e90c9b0b48b98ecfb539555b39345

SHA512
a6b00ac5a7dbad42e82c12ccb626bc544c02c5323eff7af3c51160e638e68ee90e398f5db646978516c2161626cdd202befbf4aab86d217e51fac5b9644ddb73

Download Submit
C:\Windows\System\JIdESTf.exe

Filesize
5.9MB

MD5
0ae8dbf3e440d04fcacd58f35ec37982

SHA1
76a55e3502ed520b0159cc19dd1dc33e530da799

SHA256
0d96a99b5a12a086f5e6eb104a657e436da5fe10dd59458ab581fd40b9489882

SHA512
e110d33d9cc2e110de2a0a6f31095420974938fafe5b8268b1621b6fb096614212a640a2fdfdf052ecf07ddc5ff7988192c342455fde26d936b816181daf6257

Download Submit
C:\Windows\System\KaAMRaQ.exe

Filesize
5.9MB

MD5
d16cd596a6c049440331b1fb1b2b45a7

SHA1
74ec5ce594e255d758b413eb3c629463a061a609

SHA256
4a981620433b7f3387507e18a5ce08b64c3c728a729ddf7923b299854f762f62

SHA512
608cd7001175142aeccfea0d72ecba25d68e90c1d84fc297f9f88b8382e752e7630a3c49130b018b8b1e743bf5e79be160b7604de0e1a090e502968396f27cf4

Download Submit
C:\Windows\System\LWbnbtM.exe

Filesize
5.9MB

MD5
9127e6633ab3781e56440d9e75c5baa9

SHA1
ee72d1b17cc05d4e8103cd2be76226e56ec4a43f

SHA256
10e8f6537656ed6aeb154aebd34e4e71094f7b96eb272f2c9f6b905ab411f09b

SHA512
13a5993cfcdb20d2a4c0dd459052fd24c509fad4100dc6e8c681fb35642469fb988f62ea342420015cbc3898adaf10e3b1b86cec7c11e35ba5b9a89d20657563

Download Submit
C:\Windows\System\NgEOFZt.exe

Filesize
5.9MB

MD5
36335486c95259d01391718044a25354

SHA1
d8e4a0634867fcb5c66f9bfbda07b5d705439454

SHA256
e546e57ab69cfbb5c57b92b09ca843954a8a6045fe7899d6a2419cc1eac0f804

SHA512
5f5f0c8f5404b4821e2f4e824401e1ea257decb3467028fdd769e6ad6acc04683b4950e76d0f6c5a0cbde52033e5158f581d25a35cd4346926280b09eda7eea7

Download Submit
C:\Windows\System\TTkZCbj.exe

Filesize
5.9MB

MD5
f1af491d6d659db5c0b127bcdea219e8

SHA1
595a9c217d924cdcbdd91f92f69340457441b3bf

SHA256
b5fde568d4899673911643bdcd394a22e1391de4c56f3a3c0ca12945fd58cec6

SHA512
4a3699a1c462770dfe69cd47b937d1955754bbf1f0037fdb24d4c7a7d59b8b8194383acb91ee1e8970439cb10177327485fde6e8a3265147a27e13e7746dec29

Download Submit
C:\Windows\System\UITzghP.exe

Filesize
5.9MB

MD5
1b2cb3f50760647e476e510b884e7c47

SHA1
02672b500e107bc4633d090f02a5903d600d65ed

SHA256
5eba75917aa95f5f6dfa75ed70c04651214514e09b6ef3d8cd7622db55a7d734

SHA512
54802feddc10e1f8f8dd83be2f1eca9c32f34a19a175565a6a60f7595101359305972a322294d21ae1ff3cb548c558d779681ad98ff04b359e3c5ef8911a5e4a

Download Submit
C:\Windows\System\VTSRyvR.exe

Filesize
5.9MB

MD5
8de406e84268330362985aad0c2a895f

SHA1
18a327b51222269cde35eee0666098592c3e2e9b

SHA256
1a723eb3483d7f0d79341a51fe8894b70e3a19bcc669600d0c3487731c9bafb9

SHA512
77c14dbb878263fd3232ce7e2dac6da571284f5a94e6b036e36cd166e7e35890263049b9f904e023a57a6381dd539c6938ac286e47d3114bf1acb46adad10acc

Download Submit
C:\Windows\System\aFrRzFd.exe

Filesize
5.9MB

MD5
6fae2a968268f1240b1ba5c6c8f99ec5

SHA1
0f55a7fa8031c670b8352c34e8304e68d5860da2

SHA256
a984314657427212d1e098196778bad04a7291ac743eec5622fbad3faf871f66

SHA512
bbe9d477ac831c81a672d8a9f004a0568039ff26b4b5bdf379a38b92e46e334ce5ba3a729c9cbde583a635d7d775e217069fdcebaabb33b8cceaba77784e7e3e

Download Submit
C:\Windows\System\dWGlZjU.exe

Filesize
5.9MB

MD5
fea4f25f29002e6b9a135aef5a305ae4

SHA1
8835b4221dd81ff439a1f4e251ddc7b2b9bcd511

SHA256
0c40515f8a5a2c7a6bafe67917385bdda31fdefa3ed2d83272a4e728875e135c

SHA512
a7a9a51d20e00d1483146d5fda0e687268e0e1b867ec77c3b9aab5cf4f636758ac842249404d71443ea57c87e1db1753b5755b041b0419a1e7470628396f53ac

Download Submit
C:\Windows\System\gLJmSLT.exe

Filesize
5.9MB

MD5
0916fbf340971cfbb7f0340be9087f11

SHA1
827b916bb54d8c092678a4a0784f720b5a59ff17

SHA256
4d223e725fd3bf96a8a8c87825f80b9b10af495606784015e191e50824f9571f

SHA512
11364c134e5f1bdda1f329863b2afeed66f9f4af820afefcc2e889d01c6129bc203d8fc16ba5a825bd466ba68583c4b9afae0c5e60a74ffddf306ebe7932df94

Download Submit
C:\Windows\System\nupVneN.exe

Filesize
5.9MB

MD5
e895c3481f229c74d870fc114797431b

SHA1
af3f8b82d4232556966f7bda71604c4dd33b4d4d

SHA256
8a3b3431dbfcd331dd6818deb73a687a0bc275a972ab8a83beb6f15a6e7cc848

SHA512
9176ded728f04fa57dd0f90a324df9d47981180cb27fe4a8905e46fea671abcead10f92c55681154fd6c08023687763e834398f66d357f871defc2bab1012795

Download Submit
C:\Windows\System\oCWrCbv.exe

Filesize
5.9MB

MD5
b64ecb320122af34c25721979bec2e0f

SHA1
2ef9b6976ece4d540872549dd18c461e373c7c5b

SHA256
3854be1118da46aba39eb809ea610f3d99c9724df6cc864e309b0441a2cbd988

SHA512
17cf93861a5d23b5a0a9408866c83e70e5f819880bd82ac474a1638f0c45e35543a9bdd3c1344107e3f556fd88035aa90e2eb780c2de207e1060990a81b12a88

Download Submit
C:\Windows\System\omvStZN.exe

Filesize
5.9MB

MD5
a52ee34af7bdebba91f9683988c68644

SHA1
5380d041fe343c618059f301a6738c79fa807148

SHA256
9f894986c9d78b6d9da741cbd0343ef17eeb88e1ec5683cc59f297067d2074cc

SHA512
643bb2379d8427e1e329f4e4619e65020fa32bc7a54a8dc46b1a463cef4c8676e3fd397e37c3bd834dfb4ad63ec26c49310b54dbc0187bef8450e947535ca88d

Download Submit
C:\Windows\System\pgbRewj.exe

Filesize
5.9MB

MD5
1de7295af4020ebc37dd2e441e201970

SHA1
b2b3c1e1b459109e40bf2a8a1834ecbea7cd540f

SHA256
f2d5a40c16136e976ed31a18d65d7e85b197ffddd4e715e56dbe2d2f054ca8d6

SHA512
8ed461e51a5fbb9c7d2d9d8bf7980dc4d20a5fcf2d643b1f27b8f678409efe5b58179965a47d0d9ad52dd897b303f4c9aa271b4e06915e2017ae690ac06b0a6d

Download Submit
C:\Windows\System\pkYfCKW.exe

Filesize
5.9MB

MD5
897fb50bad256d504e98fd3c17a5a1b4

SHA1
6ee28418bc65b5e618360a38002d55d23bd1ae85

SHA256
8b3bc8c500ac3712625dce88127e268c67ef8a9628e0a3d59da1772e895f71e8

SHA512
33dea0fee515196c4cacc9941084c87fd012976097d037c8dc6d166998ac642eaeb067e727139e3515aca382e6a55d01d4272f2fb9854937a3aa7b6ffd2bf15f

Download Submit
C:\Windows\System\ruNXrNi.exe

Filesize
5.9MB

MD5
84d6d827fb61edd26c57b79cd1efe5c3

SHA1
6e9f02c768c0b073a73fe777c4d69b884cacaa4d

SHA256
97fff8fc539ee15e512049a33571ca7da9cc9d23e2dc43337d229172ee09a058

SHA512
b229fbc701ed21c1525135c5007d3423f0505cd1b6d8450fc12f247aa1bf9739bad8c0975cb1857b9e466f607cd65a1e5bd616908d44850761fea890edde7cac

Download Submit
C:\Windows\System\vRFTJeU.exe

Filesize
5.9MB

MD5
7785ea729042b37b8e8dd13a05d99e13

SHA1
0336ee84d0e1c06e2afa5144d9a06f1cd3c30889

SHA256
c7128e9d58e906211257ba4c2a3f19c38c46ec0e1823160ea063a9451de4061e

SHA512
2ca1fa3084a35343a03e9cecdad1d76b0d4a3c9cddd7d5625efc677ad4745ee719bcba884f4f3133a226942616c22f9679e1d8898565c5b8dc6e5e4f087f552e

Download Submit
memory/428-123-0x00007FF648580000-0x00007FF6488D4000-memory.dmp

Filesize
3.3MB

Download
memory/428-151-0x00007FF648580000-0x00007FF6488D4000-memory.dmp

Filesize
3.3MB

Download
memory/1392-140-0x00007FF700D30000-0x00007FF701084000-memory.dmp

Filesize
3.3MB

Download
memory/1392-132-0x00007FF700D30000-0x00007FF701084000-memory.dmp

Filesize
3.3MB

Download
memory/1392-26-0x00007FF700D30000-0x00007FF701084000-memory.dmp

Filesize
3.3MB

Download
memory/1456-121-0x00007FF765EB0000-0x00007FF766204000-memory.dmp

Filesize
3.3MB

Download
memory/1456-146-0x00007FF765EB0000-0x00007FF766204000-memory.dmp

Filesize
3.3MB

Download
memory/1480-124-0x00007FF7E9CF0000-0x00007FF7EA044000-memory.dmp

Filesize
3.3MB

Download
memory/1480-149-0x00007FF7E9CF0000-0x00007FF7EA044000-memory.dmp

Filesize
3.3MB

Download
memory/1664-154-0x00007FF702270000-0x00007FF7025C4000-memory.dmp

Filesize
3.3MB

Download
memory/1664-125-0x00007FF702270000-0x00007FF7025C4000-memory.dmp

Filesize
3.3MB

Download
memory/1748-122-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp

Filesize
3.3MB

Download
memory/1748-147-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp

Filesize
3.3MB

Download
memory/1772-131-0x00007FF709150000-0x00007FF7094A4000-memory.dmp

Filesize
3.3MB

Download
memory/1772-138-0x00007FF709150000-0x00007FF7094A4000-memory.dmp

Filesize
3.3MB

Download
memory/1772-23-0x00007FF709150000-0x00007FF7094A4000-memory.dmp

Filesize
3.3MB

Download
memory/1804-115-0x00007FF7F70A0000-0x00007FF7F73F4000-memory.dmp

Filesize
3.3MB

Download
memory/1804-145-0x00007FF7F70A0000-0x00007FF7F73F4000-memory.dmp

Filesize
3.3MB

Download
memory/2196-142-0x00007FF6ECC50000-0x00007FF6ECFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2196-126-0x00007FF6ECC50000-0x00007FF6ECFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2396-130-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp

Filesize
3.3MB

Download
memory/2396-14-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp

Filesize
3.3MB

Download
memory/2396-137-0x00007FF7A6AF0000-0x00007FF7A6E44000-memory.dmp

Filesize
3.3MB

Download
memory/2560-116-0x00007FF640EC0000-0x00007FF641214000-memory.dmp

Filesize
3.3MB

Download
memory/2560-152-0x00007FF640EC0000-0x00007FF641214000-memory.dmp

Filesize
3.3MB

Download
memory/2796-153-0x00007FF701F90000-0x00007FF7022E4000-memory.dmp

Filesize
3.3MB

Download
memory/2796-119-0x00007FF701F90000-0x00007FF7022E4000-memory.dmp

Filesize
3.3MB

Download
memory/2892-128-0x00007FF60F310000-0x00007FF60F664000-memory.dmp

Filesize
3.3MB

Download
memory/2892-1-0x000002D353410000-0x000002D353420000-memory.dmp

Filesize
64KB

Download
memory/2892-0-0x00007FF60F310000-0x00007FF60F664000-memory.dmp

Filesize
3.3MB

Download
memory/3280-156-0x00007FF741670000-0x00007FF7419C4000-memory.dmp

Filesize
3.3MB

Download
memory/3280-114-0x00007FF741670000-0x00007FF7419C4000-memory.dmp

Filesize
3.3MB

Download
memory/3348-155-0x00007FF7D2290000-0x00007FF7D25E4000-memory.dmp

Filesize
3.3MB

Download
memory/3348-118-0x00007FF7D2290000-0x00007FF7D25E4000-memory.dmp

Filesize
3.3MB

Download
memory/3416-150-0x00007FF7DBCF0000-0x00007FF7DC044000-memory.dmp

Filesize
3.3MB

Download
memory/3416-44-0x00007FF7DBCF0000-0x00007FF7DC044000-memory.dmp

Filesize
3.3MB

Download
memory/3416-135-0x00007FF7DBCF0000-0x00007FF7DC044000-memory.dmp

Filesize
3.3MB

Download
memory/3424-143-0x00007FF6553F0000-0x00007FF655744000-memory.dmp

Filesize
3.3MB

Download
memory/3424-127-0x00007FF6553F0000-0x00007FF655744000-memory.dmp

Filesize
3.3MB

Download
memory/4068-133-0x00007FF737E80000-0x00007FF7381D4000-memory.dmp

Filesize
3.3MB

Download
memory/4068-139-0x00007FF737E80000-0x00007FF7381D4000-memory.dmp

Filesize
3.3MB

Download
memory/4068-36-0x00007FF737E80000-0x00007FF7381D4000-memory.dmp

Filesize
3.3MB

Download
memory/4520-136-0x00007FF610760000-0x00007FF610AB4000-memory.dmp

Filesize
3.3MB

Download
memory/4520-129-0x00007FF610760000-0x00007FF610AB4000-memory.dmp

Filesize
3.3MB

Download
memory/4520-6-0x00007FF610760000-0x00007FF610AB4000-memory.dmp

Filesize
3.3MB

Download
memory/4884-141-0x00007FF6CFD60000-0x00007FF6D00B4000-memory.dmp

Filesize
3.3MB

Download
memory/4884-41-0x00007FF6CFD60000-0x00007FF6D00B4000-memory.dmp

Filesize
3.3MB

Download
memory/4884-134-0x00007FF6CFD60000-0x00007FF6D00B4000-memory.dmp

Filesize
3.3MB

Download
memory/4924-120-0x00007FF6CD750000-0x00007FF6CDAA4000-memory.dmp

Filesize
3.3MB

Download
memory/4924-144-0x00007FF6CD750000-0x00007FF6CDAA4000-memory.dmp

Filesize
3.3MB

Download
memory/4992-148-0x00007FF7C3160000-0x00007FF7C34B4000-memory.dmp

Filesize
3.3MB

Download
memory/4992-117-0x00007FF7C3160000-0x00007FF7C34B4000-memory.dmp

Filesize
3.3MB

Download