cobaltstrike | a0602c42a960a1b22c7f3c678fb3d6180ca54ed9f6945824e2cb4421c2b1b0be

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

7ad40ad09fc1e6b3d23a3e62eb441264
SHA1

4d557bef036b8d0551c07595f84dc64396ccf462
SHA256

a0602c42a960a1b22c7f3c678fb3d6180ca54ed9f6945824e2cb4421c2b1b0be
SHA512

241e40798b8606858b6dd6f88cddc8fd76c6a29c7b2dd300d36142af43bbd48ed453a361a9b52bed2aeebc0fe7b4e347b8f812353743f244fccf60ae8096c7cc
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lS:RWWBibf56utgpPFotBER/mQ32lUG

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023429-4.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342e-8.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342f-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023430-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023431-35.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342d-19.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023432-40.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002342a-50.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-55.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343c-98.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343b-104.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343d-114.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343e-120.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343f-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023439-93.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023437-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023438-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-65.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023429-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342e-8.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342f-21.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023430-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023431-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342d-19.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023432-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002342a-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023434-55.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343c-98.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343b-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343d-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343e-120.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343f-126.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023439-93.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343a-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023437-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023436-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023438-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023435-67.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023433-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1304-0-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp	UPX
behavioral2/files/0x0008000000023429-4.dat	UPX
behavioral2/files/0x000700000002342e-8.dat	UPX
behavioral2/memory/4164-23-0x00007FF7F1C00000-0x00007FF7F1F51000-memory.dmp	UPX
behavioral2/files/0x000700000002342f-21.dat	UPX
behavioral2/memory/2664-29-0x00007FF67AB80000-0x00007FF67AED1000-memory.dmp	UPX
behavioral2/files/0x0007000000023430-33.dat	UPX
behavioral2/memory/4756-37-0x00007FF6E6BD0000-0x00007FF6E6F21000-memory.dmp	UPX
behavioral2/memory/1560-38-0x00007FF7CB370000-0x00007FF7CB6C1000-memory.dmp	UPX
behavioral2/files/0x0007000000023431-35.dat	UPX
behavioral2/files/0x000700000002342d-19.dat	UPX
behavioral2/memory/1268-17-0x00007FF61F060000-0x00007FF61F3B1000-memory.dmp	UPX
behavioral2/memory/2328-10-0x00007FF687350000-0x00007FF6876A1000-memory.dmp	UPX
behavioral2/files/0x0007000000023432-40.dat	UPX
behavioral2/memory/4364-45-0x00007FF6A03B0000-0x00007FF6A0701000-memory.dmp	UPX
behavioral2/files/0x000800000002342a-50.dat	UPX
behavioral2/files/0x0007000000023434-55.dat	UPX
behavioral2/files/0x000700000002343c-98.dat	UPX
behavioral2/files/0x000700000002343b-104.dat	UPX
behavioral2/files/0x000700000002343d-114.dat	UPX
behavioral2/files/0x000700000002343e-120.dat	UPX
behavioral2/files/0x000700000002343f-126.dat	UPX
behavioral2/memory/4836-130-0x00007FF66CE70000-0x00007FF66D1C1000-memory.dmp	UPX
behavioral2/memory/4512-129-0x00007FF6D2D90000-0x00007FF6D30E1000-memory.dmp	UPX
behavioral2/memory/2608-128-0x00007FF6EB6D0000-0x00007FF6EBA21000-memory.dmp	UPX
behavioral2/memory/1268-125-0x00007FF61F060000-0x00007FF61F3B1000-memory.dmp	UPX
behavioral2/memory/2328-124-0x00007FF687350000-0x00007FF6876A1000-memory.dmp	UPX
behavioral2/memory/844-123-0x00007FF7E3A30000-0x00007FF7E3D81000-memory.dmp	UPX
behavioral2/memory/3768-122-0x00007FF671570000-0x00007FF6718C1000-memory.dmp	UPX
behavioral2/memory/4732-117-0x00007FF6805D0000-0x00007FF680921000-memory.dmp	UPX
behavioral2/memory/2852-116-0x00007FF7DCD40000-0x00007FF7DD091000-memory.dmp	UPX
behavioral2/memory/4024-112-0x00007FF633E00000-0x00007FF634151000-memory.dmp	UPX
behavioral2/memory/4736-111-0x00007FF6BD240000-0x00007FF6BD591000-memory.dmp	UPX
behavioral2/memory/2844-96-0x00007FF7E62B0000-0x00007FF7E6601000-memory.dmp	UPX
behavioral2/files/0x0007000000023439-93.dat	UPX
behavioral2/files/0x000700000002343a-99.dat	UPX
behavioral2/memory/1304-89-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp	UPX
behavioral2/files/0x0007000000023437-83.dat	UPX
behavioral2/files/0x0007000000023436-82.dat	UPX
behavioral2/files/0x0007000000023438-78.dat	UPX
behavioral2/memory/508-71-0x00007FF718460000-0x00007FF7187B1000-memory.dmp	UPX
behavioral2/files/0x0007000000023435-67.dat	UPX
behavioral2/memory/1404-60-0x00007FF7B8B40000-0x00007FF7B8E91000-memory.dmp	UPX
behavioral2/memory/4236-59-0x00007FF7CD630000-0x00007FF7CD981000-memory.dmp	UPX
behavioral2/files/0x0007000000023433-65.dat	UPX
behavioral2/memory/1036-56-0x00007FF666AA0000-0x00007FF666DF1000-memory.dmp	UPX
behavioral2/memory/2664-131-0x00007FF67AB80000-0x00007FF67AED1000-memory.dmp	UPX
behavioral2/memory/1304-132-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp	UPX
behavioral2/memory/4364-139-0x00007FF6A03B0000-0x00007FF6A0701000-memory.dmp	UPX
behavioral2/memory/4756-140-0x00007FF6E6BD0000-0x00007FF6E6F21000-memory.dmp	UPX
behavioral2/memory/1404-142-0x00007FF7B8B40000-0x00007FF7B8E91000-memory.dmp	UPX
behavioral2/memory/4236-143-0x00007FF7CD630000-0x00007FF7CD981000-memory.dmp	UPX
behavioral2/memory/2852-150-0x00007FF7DCD40000-0x00007FF7DD091000-memory.dmp	UPX
behavioral2/memory/1304-155-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp	UPX
behavioral2/memory/2328-200-0x00007FF687350000-0x00007FF6876A1000-memory.dmp	UPX
behavioral2/memory/4164-202-0x00007FF7F1C00000-0x00007FF7F1F51000-memory.dmp	UPX
behavioral2/memory/1268-204-0x00007FF61F060000-0x00007FF61F3B1000-memory.dmp	UPX
behavioral2/memory/2664-206-0x00007FF67AB80000-0x00007FF67AED1000-memory.dmp	UPX
behavioral2/memory/4756-208-0x00007FF6E6BD0000-0x00007FF6E6F21000-memory.dmp	UPX
behavioral2/memory/1560-210-0x00007FF7CB370000-0x00007FF7CB6C1000-memory.dmp	UPX
behavioral2/memory/4364-228-0x00007FF6A03B0000-0x00007FF6A0701000-memory.dmp	UPX
behavioral2/memory/1036-230-0x00007FF666AA0000-0x00007FF666DF1000-memory.dmp	UPX
behavioral2/memory/4236-232-0x00007FF7CD630000-0x00007FF7CD981000-memory.dmp	UPX
behavioral2/memory/508-234-0x00007FF718460000-0x00007FF7187B1000-memory.dmp	UPX

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/4164-23-0x00007FF7F1C00000-0x00007FF7F1F51000-memory.dmp	xmrig
behavioral2/memory/1560-38-0x00007FF7CB370000-0x00007FF7CB6C1000-memory.dmp	xmrig
behavioral2/memory/2328-10-0x00007FF687350000-0x00007FF6876A1000-memory.dmp	xmrig
behavioral2/memory/4836-130-0x00007FF66CE70000-0x00007FF66D1C1000-memory.dmp	xmrig
behavioral2/memory/4512-129-0x00007FF6D2D90000-0x00007FF6D30E1000-memory.dmp	xmrig
behavioral2/memory/2608-128-0x00007FF6EB6D0000-0x00007FF6EBA21000-memory.dmp	xmrig
behavioral2/memory/1268-125-0x00007FF61F060000-0x00007FF61F3B1000-memory.dmp	xmrig
behavioral2/memory/2328-124-0x00007FF687350000-0x00007FF6876A1000-memory.dmp	xmrig
behavioral2/memory/844-123-0x00007FF7E3A30000-0x00007FF7E3D81000-memory.dmp	xmrig
behavioral2/memory/3768-122-0x00007FF671570000-0x00007FF6718C1000-memory.dmp	xmrig
behavioral2/memory/4732-117-0x00007FF6805D0000-0x00007FF680921000-memory.dmp	xmrig
behavioral2/memory/4024-112-0x00007FF633E00000-0x00007FF634151000-memory.dmp	xmrig
behavioral2/memory/4736-111-0x00007FF6BD240000-0x00007FF6BD591000-memory.dmp	xmrig
behavioral2/memory/2844-96-0x00007FF7E62B0000-0x00007FF7E6601000-memory.dmp	xmrig
behavioral2/memory/1304-89-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp	xmrig
behavioral2/memory/508-71-0x00007FF718460000-0x00007FF7187B1000-memory.dmp	xmrig
behavioral2/memory/1036-56-0x00007FF666AA0000-0x00007FF666DF1000-memory.dmp	xmrig
behavioral2/memory/2664-131-0x00007FF67AB80000-0x00007FF67AED1000-memory.dmp	xmrig
behavioral2/memory/1304-132-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp	xmrig
behavioral2/memory/4364-139-0x00007FF6A03B0000-0x00007FF6A0701000-memory.dmp	xmrig
behavioral2/memory/4756-140-0x00007FF6E6BD0000-0x00007FF6E6F21000-memory.dmp	xmrig
behavioral2/memory/1404-142-0x00007FF7B8B40000-0x00007FF7B8E91000-memory.dmp	xmrig
behavioral2/memory/4236-143-0x00007FF7CD630000-0x00007FF7CD981000-memory.dmp	xmrig
behavioral2/memory/2852-150-0x00007FF7DCD40000-0x00007FF7DD091000-memory.dmp	xmrig
behavioral2/memory/1304-155-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp	xmrig
behavioral2/memory/2328-200-0x00007FF687350000-0x00007FF6876A1000-memory.dmp	xmrig
behavioral2/memory/4164-202-0x00007FF7F1C00000-0x00007FF7F1F51000-memory.dmp	xmrig
behavioral2/memory/1268-204-0x00007FF61F060000-0x00007FF61F3B1000-memory.dmp	xmrig
behavioral2/memory/2664-206-0x00007FF67AB80000-0x00007FF67AED1000-memory.dmp	xmrig
behavioral2/memory/4756-208-0x00007FF6E6BD0000-0x00007FF6E6F21000-memory.dmp	xmrig
behavioral2/memory/1560-210-0x00007FF7CB370000-0x00007FF7CB6C1000-memory.dmp	xmrig
behavioral2/memory/4364-228-0x00007FF6A03B0000-0x00007FF6A0701000-memory.dmp	xmrig
behavioral2/memory/1036-230-0x00007FF666AA0000-0x00007FF666DF1000-memory.dmp	xmrig
behavioral2/memory/4236-232-0x00007FF7CD630000-0x00007FF7CD981000-memory.dmp	xmrig
behavioral2/memory/508-234-0x00007FF718460000-0x00007FF7187B1000-memory.dmp	xmrig
behavioral2/memory/1404-236-0x00007FF7B8B40000-0x00007FF7B8E91000-memory.dmp	xmrig
behavioral2/memory/4024-238-0x00007FF633E00000-0x00007FF634151000-memory.dmp	xmrig
behavioral2/memory/4736-242-0x00007FF6BD240000-0x00007FF6BD591000-memory.dmp	xmrig
behavioral2/memory/2844-241-0x00007FF7E62B0000-0x00007FF7E6601000-memory.dmp	xmrig
behavioral2/memory/844-244-0x00007FF7E3A30000-0x00007FF7E3D81000-memory.dmp	xmrig
behavioral2/memory/2608-248-0x00007FF6EB6D0000-0x00007FF6EBA21000-memory.dmp	xmrig
behavioral2/memory/4512-247-0x00007FF6D2D90000-0x00007FF6D30E1000-memory.dmp	xmrig
behavioral2/memory/4732-250-0x00007FF6805D0000-0x00007FF680921000-memory.dmp	xmrig
behavioral2/memory/3768-252-0x00007FF671570000-0x00007FF6718C1000-memory.dmp	xmrig
behavioral2/memory/2852-254-0x00007FF7DCD40000-0x00007FF7DD091000-memory.dmp	xmrig
behavioral2/memory/4836-256-0x00007FF66CE70000-0x00007FF66D1C1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2328	crvyaWe.exe
1268	dOLFwDT.exe
4164	qBHHzYO.exe
2664	XpJuhJw.exe
4756	DiZJHKO.exe
1560	SZWSqsR.exe
4364	buSdpiL.exe
1036	UhlicrZ.exe
1404	EZdDgxg.exe
4236	XisTSzX.exe
508	pIxklDy.exe
2844	xtIcekF.exe
4736	OLetQgF.exe
4024	oPTIAuo.exe
844	XnvzIAr.exe
2608	RlnqlPh.exe
4512	QukCEyn.exe
2852	GHOPHEI.exe
4732	yhZNqEp.exe
3768	HMvHyzt.exe
4836	HtECnJV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1304-0-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp	upx
behavioral2/files/0x0008000000023429-4.dat	upx
behavioral2/files/0x000700000002342e-8.dat	upx
behavioral2/memory/4164-23-0x00007FF7F1C00000-0x00007FF7F1F51000-memory.dmp	upx
behavioral2/files/0x000700000002342f-21.dat	upx
behavioral2/memory/2664-29-0x00007FF67AB80000-0x00007FF67AED1000-memory.dmp	upx
behavioral2/files/0x0007000000023430-33.dat	upx
behavioral2/memory/4756-37-0x00007FF6E6BD0000-0x00007FF6E6F21000-memory.dmp	upx
behavioral2/memory/1560-38-0x00007FF7CB370000-0x00007FF7CB6C1000-memory.dmp	upx
behavioral2/files/0x0007000000023431-35.dat	upx
behavioral2/files/0x000700000002342d-19.dat	upx
behavioral2/memory/1268-17-0x00007FF61F060000-0x00007FF61F3B1000-memory.dmp	upx
behavioral2/memory/2328-10-0x00007FF687350000-0x00007FF6876A1000-memory.dmp	upx
behavioral2/files/0x0007000000023432-40.dat	upx
behavioral2/memory/4364-45-0x00007FF6A03B0000-0x00007FF6A0701000-memory.dmp	upx
behavioral2/files/0x000800000002342a-50.dat	upx
behavioral2/files/0x0007000000023434-55.dat	upx
behavioral2/files/0x000700000002343c-98.dat	upx
behavioral2/files/0x000700000002343b-104.dat	upx
behavioral2/files/0x000700000002343d-114.dat	upx
behavioral2/files/0x000700000002343e-120.dat	upx
behavioral2/files/0x000700000002343f-126.dat	upx
behavioral2/memory/4836-130-0x00007FF66CE70000-0x00007FF66D1C1000-memory.dmp	upx
behavioral2/memory/4512-129-0x00007FF6D2D90000-0x00007FF6D30E1000-memory.dmp	upx
behavioral2/memory/2608-128-0x00007FF6EB6D0000-0x00007FF6EBA21000-memory.dmp	upx
behavioral2/memory/1268-125-0x00007FF61F060000-0x00007FF61F3B1000-memory.dmp	upx
behavioral2/memory/2328-124-0x00007FF687350000-0x00007FF6876A1000-memory.dmp	upx
behavioral2/memory/844-123-0x00007FF7E3A30000-0x00007FF7E3D81000-memory.dmp	upx
behavioral2/memory/3768-122-0x00007FF671570000-0x00007FF6718C1000-memory.dmp	upx
behavioral2/memory/4732-117-0x00007FF6805D0000-0x00007FF680921000-memory.dmp	upx
behavioral2/memory/2852-116-0x00007FF7DCD40000-0x00007FF7DD091000-memory.dmp	upx
behavioral2/memory/4024-112-0x00007FF633E00000-0x00007FF634151000-memory.dmp	upx
behavioral2/memory/4736-111-0x00007FF6BD240000-0x00007FF6BD591000-memory.dmp	upx
behavioral2/memory/2844-96-0x00007FF7E62B0000-0x00007FF7E6601000-memory.dmp	upx
behavioral2/files/0x0007000000023439-93.dat	upx
behavioral2/files/0x000700000002343a-99.dat	upx
behavioral2/memory/1304-89-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp	upx
behavioral2/files/0x0007000000023437-83.dat	upx
behavioral2/files/0x0007000000023436-82.dat	upx
behavioral2/files/0x0007000000023438-78.dat	upx
behavioral2/memory/508-71-0x00007FF718460000-0x00007FF7187B1000-memory.dmp	upx
behavioral2/files/0x0007000000023435-67.dat	upx
behavioral2/memory/1404-60-0x00007FF7B8B40000-0x00007FF7B8E91000-memory.dmp	upx
behavioral2/memory/4236-59-0x00007FF7CD630000-0x00007FF7CD981000-memory.dmp	upx
behavioral2/files/0x0007000000023433-65.dat	upx
behavioral2/memory/1036-56-0x00007FF666AA0000-0x00007FF666DF1000-memory.dmp	upx
behavioral2/memory/2664-131-0x00007FF67AB80000-0x00007FF67AED1000-memory.dmp	upx
behavioral2/memory/1304-132-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp	upx
behavioral2/memory/4364-139-0x00007FF6A03B0000-0x00007FF6A0701000-memory.dmp	upx
behavioral2/memory/4756-140-0x00007FF6E6BD0000-0x00007FF6E6F21000-memory.dmp	upx
behavioral2/memory/1404-142-0x00007FF7B8B40000-0x00007FF7B8E91000-memory.dmp	upx
behavioral2/memory/4236-143-0x00007FF7CD630000-0x00007FF7CD981000-memory.dmp	upx
behavioral2/memory/2852-150-0x00007FF7DCD40000-0x00007FF7DD091000-memory.dmp	upx
behavioral2/memory/1304-155-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp	upx
behavioral2/memory/2328-200-0x00007FF687350000-0x00007FF6876A1000-memory.dmp	upx
behavioral2/memory/4164-202-0x00007FF7F1C00000-0x00007FF7F1F51000-memory.dmp	upx
behavioral2/memory/1268-204-0x00007FF61F060000-0x00007FF61F3B1000-memory.dmp	upx
behavioral2/memory/2664-206-0x00007FF67AB80000-0x00007FF67AED1000-memory.dmp	upx
behavioral2/memory/4756-208-0x00007FF6E6BD0000-0x00007FF6E6F21000-memory.dmp	upx
behavioral2/memory/1560-210-0x00007FF7CB370000-0x00007FF7CB6C1000-memory.dmp	upx
behavioral2/memory/4364-228-0x00007FF6A03B0000-0x00007FF6A0701000-memory.dmp	upx
behavioral2/memory/1036-230-0x00007FF666AA0000-0x00007FF666DF1000-memory.dmp	upx
behavioral2/memory/4236-232-0x00007FF7CD630000-0x00007FF7CD981000-memory.dmp	upx
behavioral2/memory/508-234-0x00007FF718460000-0x00007FF7187B1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\qBHHzYO.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\buSdpiL.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XisTSzX.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XnvzIAr.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RlnqlPh.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\crvyaWe.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dOLFwDT.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DiZJHKO.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xtIcekF.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OLetQgF.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XpJuhJw.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SZWSqsR.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QukCEyn.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HMvHyzt.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yhZNqEp.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HtECnJV.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UhlicrZ.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EZdDgxg.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pIxklDy.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oPTIAuo.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GHOPHEI.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2328	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	85
PID 1304 wrote to memory of 2328	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	85
PID 1304 wrote to memory of 1268	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	87
PID 1304 wrote to memory of 1268	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	87
PID 1304 wrote to memory of 4164	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	88
PID 1304 wrote to memory of 4164	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	88
PID 1304 wrote to memory of 2664	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	89
PID 1304 wrote to memory of 2664	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	89
PID 1304 wrote to memory of 4756	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	90
PID 1304 wrote to memory of 4756	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	90
PID 1304 wrote to memory of 1560	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	91
PID 1304 wrote to memory of 1560	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	91
PID 1304 wrote to memory of 4364	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	92
PID 1304 wrote to memory of 4364	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	92
PID 1304 wrote to memory of 1036	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	94
PID 1304 wrote to memory of 1036	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	94
PID 1304 wrote to memory of 1404	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	95
PID 1304 wrote to memory of 1404	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	95
PID 1304 wrote to memory of 4236	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	96
PID 1304 wrote to memory of 4236	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	96
PID 1304 wrote to memory of 508	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	97
PID 1304 wrote to memory of 508	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	97
PID 1304 wrote to memory of 2844	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	98
PID 1304 wrote to memory of 2844	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	98
PID 1304 wrote to memory of 4736	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	99
PID 1304 wrote to memory of 4736	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	99
PID 1304 wrote to memory of 4024	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	100
PID 1304 wrote to memory of 4024	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	100
PID 1304 wrote to memory of 844	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	101
PID 1304 wrote to memory of 844	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	101
PID 1304 wrote to memory of 2608	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	102
PID 1304 wrote to memory of 2608	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	102
PID 1304 wrote to memory of 2852	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	103
PID 1304 wrote to memory of 2852	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	103
PID 1304 wrote to memory of 4512	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	104
PID 1304 wrote to memory of 4512	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	104
PID 1304 wrote to memory of 4732	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	105
PID 1304 wrote to memory of 4732	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	105
PID 1304 wrote to memory of 3768	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	106
PID 1304 wrote to memory of 3768	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	106
PID 1304 wrote to memory of 4836	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	107
PID 1304 wrote to memory of 4836	1304	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\System\crvyaWe.exe
  C:\Windows\System\crvyaWe.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\dOLFwDT.exe
  C:\Windows\System\dOLFwDT.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System\qBHHzYO.exe
  C:\Windows\System\qBHHzYO.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System\XpJuhJw.exe
  C:\Windows\System\XpJuhJw.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\DiZJHKO.exe
  C:\Windows\System\DiZJHKO.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\SZWSqsR.exe
  C:\Windows\System\SZWSqsR.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\buSdpiL.exe
  C:\Windows\System\buSdpiL.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\UhlicrZ.exe
  C:\Windows\System\UhlicrZ.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\EZdDgxg.exe
  C:\Windows\System\EZdDgxg.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\XisTSzX.exe
  C:\Windows\System\XisTSzX.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System\pIxklDy.exe
  C:\Windows\System\pIxklDy.exe
  2⤵
  - Executes dropped EXE
  PID:508
- C:\Windows\System\xtIcekF.exe
  C:\Windows\System\xtIcekF.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\OLetQgF.exe
  C:\Windows\System\OLetQgF.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\oPTIAuo.exe
  C:\Windows\System\oPTIAuo.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\XnvzIAr.exe
  C:\Windows\System\XnvzIAr.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System\RlnqlPh.exe
  C:\Windows\System\RlnqlPh.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\GHOPHEI.exe
  C:\Windows\System\GHOPHEI.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\QukCEyn.exe
  C:\Windows\System\QukCEyn.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\yhZNqEp.exe
  C:\Windows\System\yhZNqEp.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\HMvHyzt.exe
  C:\Windows\System\HMvHyzt.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System\HtECnJV.exe
  C:\Windows\System\HtECnJV.exe
  2⤵
  - Executes dropped EXE
  PID:4836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DiZJHKO.exe

Filesize
5.2MB

MD5
e15c96140151c13970bffc2acfe83cfb

SHA1
fad6db97b51f955949e5c8c9984efdfcf3e45b58

SHA256
b542ed0e8ddd391ee9a49947f8eecd2269ef535af213285a2fd3f4ba27f33d69

SHA512
2da8efb94e87ac9bc96dee35c73222fcc1a7980742d11519a1b26ad8cb4291732ad777aa104d76b7c4da7372e71ffecad075b2c36f670f6e2c51af8909ea1a35

Download Submit
C:\Windows\System\EZdDgxg.exe

Filesize
5.2MB

MD5
69c3e76812041e498c1d5390f367f8e9

SHA1
f58a9588a1da26fef6b6e97fcd6b178b8b29aba7

SHA256
b0cd19103d6a9b021792e7dc33cacc4a952152f5d4ad11d368d179d33d4f79da

SHA512
bb9e2eb362ae7695ad785587f37570360d29e835d1bc202dde8af7840e46caa321c9355a9a61499db9ab75b9b56b1b16e012d5d1a1bfdcb138dc10fe3aafe133

Download Submit
C:\Windows\System\GHOPHEI.exe

Filesize
5.2MB

MD5
22785f26f34473581dd83c4daf39d8c5

SHA1
1fe0a3608cd5a400fb58734bb05e03bf2209275e

SHA256
47e8582ad337896fff019f527a96f944f972713eb2036421cda7f2c4953a1ba6

SHA512
8d1a65e870549f9ed4d22a9fbb37bbb0b2e1fbc544aca5fb55ff0c7e32b61ccc0ff969a06c2c0998c12249b6576d04054ec93fe02b85d33fcf145c591e9431ba

Download Submit
C:\Windows\System\HMvHyzt.exe

Filesize
5.2MB

MD5
0e989a9712f5d56840443e6100786b75

SHA1
b7a0ccf1a2e23a1a318c960b4cf90e03235298f9

SHA256
cfaeceb9ec95892e3806c40615af8293a4e9c5ffbc82a9672a4106e92ed9f5f5

SHA512
85da6e99c65b809e62fc5ff640020bfa0e80709fea7db60f424dd8bac946e8f92757f93daa469187c8a7d9d5efb57b8a5bfdd5ceed392d4a53a572c21e704f08

Download Submit
C:\Windows\System\HtECnJV.exe

Filesize
5.2MB

MD5
202dab811afd556c7ee4ea17af7c3c9e

SHA1
dcdd4e3986b44272e22e94ede8b338098073f1f0

SHA256
cd58b0325eb4709e0e9c4a087d153089b064d146726c40f588cf226d106adebf

SHA512
5082975967ed10cf63e18dbf25a26388c98c34137a1c6c254500042433254160352838fd60c1d1edf1a0dee8d0a7f34517aa0ce4f60f9c7739db13b6384dcdda

Download Submit
C:\Windows\System\OLetQgF.exe

Filesize
5.2MB

MD5
59394bd7a4ea40e775aeee9ee0e23b75

SHA1
479083ff1347363294292c0dc1a493bd6405018f

SHA256
dd0efb993708f84dcc39e372d906cdb22fd1fff0b8617c8b2e43acf78d311827

SHA512
6666f8038dc4fe813a95b7a5c318d6e01e23958415b8ae0e1684db3e07e5f978e9ac5ab7eea086bdedb2ba3e5c9a029faaa276438d427c87152774f9e117bac2

Download Submit
C:\Windows\System\QukCEyn.exe

Filesize
5.2MB

MD5
b9c5db7a6eb2dd837e3d5c9164d19330

SHA1
16a9af90e2af70794dc530fda90b76d4a4694ab2

SHA256
4ac06b5cb1b668519fd5ebe7d312fb5d81379d1296ef51baecbd9cdd4d817709

SHA512
33157ed6aa3c92ecdb0719fd2152e62673e8880681a344f81d4f18e2884c6fbfee0bfecd3dc2fe08c5f2e89052b957295f69eba3cff66ad79b814d863b58b4cc

Download Submit
C:\Windows\System\RlnqlPh.exe

Filesize
5.2MB

MD5
5db0a62089b63b4034a2a5c24d2aa449

SHA1
26a18f629be5c2eea3b7209dc06622be542c8e65

SHA256
d226e6647db2a4aaa5beae32846333ed1d2a1a60ee1cb3f097ea0639ac86654d

SHA512
8a09b70e3f7a96985d22af4974ed5f46a3b1ce02c81599c7ec91fa18a9bfb13f92ea77ca5c0a6641eb560f05cd49a039e056fabfea3457222c67b826e7cf008a

Download Submit
C:\Windows\System\SZWSqsR.exe

Filesize
5.2MB

MD5
6234585c945b1f84e0383e9defbfb51a

SHA1
150e9763bc85a5e11a0d3e25a959cc4d815ace19

SHA256
bad998f9225e5034c3db04ce1544775fbbfad9d20a9dec4aa51a687bf5ab0a2d

SHA512
00821f1d48e273aadfcf6281b043438e8ec03574b8841d92b7b15c8a990e3e208783c9dd694ba7deb523b78bc260e43ce95853bebf97ad7d86006554cd827a24

Download Submit
C:\Windows\System\UhlicrZ.exe

Filesize
5.2MB

MD5
4373364f125a7ea601bc1358105b6188

SHA1
d242304aec84b498218244e2591da7747e192773

SHA256
c71fafec64b12156228c0a08ec5553b5da3d3cec52ec03569f3a8306c4dbbff0

SHA512
bdf4aff7fc264300905d115529ff7c049cb3f7096dfb63c2c055d8062be98b2445b9e9bc069f27c707dc72f08d0df5afb0dc8446288a5abfcf96127939ec26dd

Download Submit
C:\Windows\System\XisTSzX.exe

Filesize
5.2MB

MD5
c7d873e9068273ddd99f5af45f020722

SHA1
f527189da390166e9c8431816fa6af407025965b

SHA256
05bce00cb276697370f2f1c51bb011d199ad4a887b73cdc76cc55332995705a2

SHA512
f90e6c4f4a0d75c3b5e5fe7d3bd75300ee04aabf0ac69073d213329ab42ca5b0e874bbaa6b177b0d65297ed3b2efc2bec9dbb4c2d3ad3f3c29735a5523492646

Download Submit
C:\Windows\System\XnvzIAr.exe

Filesize
5.2MB

MD5
81d81c66e3f7cb37e186aa39deb47310

SHA1
659176fd0ee278bfe2525e41ef08cd33bd1d66ed

SHA256
50429d1e55d298735e8a1289944a74a943e9baeaababef57b5d3f2f3e68891dc

SHA512
18237cd09b3c42d770b24a3ebd2d978b12a879c83d2d134047f92054b0f0dc1618e58b04578b30b4fd1999f030f03a78c0e8afe718d2505d55b3fdcb6a9958ca

Download Submit
C:\Windows\System\XpJuhJw.exe

Filesize
5.2MB

MD5
d0f7c4f9a839a8b2e62d71956ff4bc49

SHA1
e1aeec57fe9ba5698709b42e718fc6d93a5c891d

SHA256
05eaeb44bb31d6076b4fd749625683c759f05359ca612b31219c138d96db8df0

SHA512
c01e95670bff7c4518d486f111c8a3ae46c17cb282ecc312f57db133a012b2aba5b02d7c062345c5c63f5bab7708b9ed0221ad12632e81be2292a78743f2a29d

Download Submit
C:\Windows\System\buSdpiL.exe

Filesize
5.2MB

MD5
8fb00789555ad3ad5f6cee3115b0b098

SHA1
eebac8fad76ede1443286d3baf6f8d3bccc0bf3e

SHA256
720f883daa4a168cb450853c621eeaf7a43cc19b1f2dd7e993b5003e3fd3314e

SHA512
519faaf290225ecc5d978883c7a3884b60b4b6906c8e96ac70c27ecc528932a481c4d418a59238ee4a52ca978afe455d1ca238785cd10ddd1f8b42d430b617c5

Download Submit
C:\Windows\System\crvyaWe.exe

Filesize
5.2MB

MD5
d2b8534d828475cb231c9a1882a1dc2f

SHA1
17d38f001c41b8811d957535b1bfe3497bf743df

SHA256
ded81c0d5848f7c76eef99c5ee9803b073692439bb38c3c53fdaa0979294ea40

SHA512
7a77796a980b53bcc091cbb529dbf597eef2aec4eb76e0fd02418f9463609db138c90284e075aecab1e229d43749f39931f4dc6918ed2f58e9ee15e1e4c15832

Download Submit
C:\Windows\System\dOLFwDT.exe

Filesize
5.2MB

MD5
30d0d4f59b90fdcd730cec51e8c8b5b1

SHA1
94eb0d6c63289ab7023ec22dd056cf770bc25655

SHA256
c2f57b503d6547d0ca820e9b9b7d2828fa779e3adb46c7a057dc3d41e91c21ce

SHA512
0a79d33dabd43913cc047c71a6762b0bc99846afb956f6af884cabae84c304455fdb9b965c9bdf46b0c22533082fef4b60321bb72dd4c55be733c2d7361b68b9

Download Submit
C:\Windows\System\oPTIAuo.exe

Filesize
5.2MB

MD5
8912ab0ccfb86e9e7b27c2efdf0e3baa

SHA1
c8d7464de1f9819f402eb4dd4a973daed9102e73

SHA256
ff9ccfceeda5811209b9ea8a9b2f67d3b8cd058d2e4777ff9153fac951a6bdb7

SHA512
9dfab9c5b79d43cc81ae0330e7925857e1e8b6e14e9e54cbd7c6d1072f6bac0927d3a06f1a0e22845e02c3374fc20a06eed662406407ef72d1a2bd57ba967dea

Download Submit
C:\Windows\System\pIxklDy.exe

Filesize
5.2MB

MD5
cb5b3d362954a9c51501ec039d17c7ac

SHA1
f357d33e0bda6eaa543001e443738b9239095cd8

SHA256
50f979deea5a302aedd7d9deec47c2338bcb6cc31178c4ddd6fddff9602fd360

SHA512
c6f817c0c16c139e521f52c5dc1a071ee681dff3d2ce775e5b91d94982b5db99d8d9a439e4daf5f81fc1aab6d4b7a5c497eb4bd25bd00323053c96c5a1cb0851

Download Submit
C:\Windows\System\qBHHzYO.exe

Filesize
5.2MB

MD5
317cf88a9f743de416aad1b969f6be5c

SHA1
b2bca09dbdfc36c447bc062e802c7eb31e0aba69

SHA256
d33cedf52ac0f637bd1c8fafa96ed64755b4fa6892d951430122f52d1ab47d2f

SHA512
e087506adc251a9d7fa3c96666816c696cdc47ec5d0b29f7aeaa2d7ae90a146f46a80e3a359659e709271a4ab655af6f3103cf3d2bb2193a9c2c34a75dda910c

Download Submit
C:\Windows\System\xtIcekF.exe

Filesize
5.2MB

MD5
8337262b4b542651919a23ff46ca546f

SHA1
5355f413c0d2d8c103d9a66a3437713840e79a6d

SHA256
8dde5e04e47b0c9aeb74c5802876c2c103e25d55738cda9a1b9fa4dbb63eb18c

SHA512
f87b6387cf346e1659907361faca85b5e8c51f503da21711360ba06d496e765a042270f6f98af88ed5f7f4656ad0da315141da3a47f688efbb060e79c6b44d23

Download Submit
C:\Windows\System\yhZNqEp.exe

Filesize
5.2MB

MD5
75732f35913e5b72df28d48193455021

SHA1
984850468d745695b49aa49b46336f80e0036fce

SHA256
2b4aa3da0fd7bd7452753720b0267add1d6295bfde894a71829a5501ca1e8c60

SHA512
a170e099ea41820150ca98a262553875bc81a0c4e2fb9efa5d2475eb635a161799dad68d6a2f91bb9ad766b6dc7db300ded8c44cd4bcd249f0514ae787d8e454

Download Submit
memory/508-71-0x00007FF718460000-0x00007FF7187B1000-memory.dmp

Filesize
3.3MB

Download
memory/508-234-0x00007FF718460000-0x00007FF7187B1000-memory.dmp

Filesize
3.3MB

Download
memory/844-123-0x00007FF7E3A30000-0x00007FF7E3D81000-memory.dmp

Filesize
3.3MB

Download
memory/844-244-0x00007FF7E3A30000-0x00007FF7E3D81000-memory.dmp

Filesize
3.3MB

Download
memory/1036-230-0x00007FF666AA0000-0x00007FF666DF1000-memory.dmp

Filesize
3.3MB

Download
memory/1036-56-0x00007FF666AA0000-0x00007FF666DF1000-memory.dmp

Filesize
3.3MB

Download
memory/1268-125-0x00007FF61F060000-0x00007FF61F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/1268-204-0x00007FF61F060000-0x00007FF61F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/1268-17-0x00007FF61F060000-0x00007FF61F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/1304-1-0x0000013C37040000-0x0000013C37050000-memory.dmp

Filesize
64KB

Download
memory/1304-155-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp

Filesize
3.3MB

Download
memory/1304-89-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp

Filesize
3.3MB

Download
memory/1304-132-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp

Filesize
3.3MB

Download
memory/1304-0-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp

Filesize
3.3MB

Download
memory/1404-142-0x00007FF7B8B40000-0x00007FF7B8E91000-memory.dmp

Filesize
3.3MB

Download
memory/1404-236-0x00007FF7B8B40000-0x00007FF7B8E91000-memory.dmp

Filesize
3.3MB

Download
memory/1404-60-0x00007FF7B8B40000-0x00007FF7B8E91000-memory.dmp

Filesize
3.3MB

Download
memory/1560-210-0x00007FF7CB370000-0x00007FF7CB6C1000-memory.dmp

Filesize
3.3MB

Download
memory/1560-38-0x00007FF7CB370000-0x00007FF7CB6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2328-124-0x00007FF687350000-0x00007FF6876A1000-memory.dmp

Filesize
3.3MB

Download
memory/2328-200-0x00007FF687350000-0x00007FF6876A1000-memory.dmp

Filesize
3.3MB

Download
memory/2328-10-0x00007FF687350000-0x00007FF6876A1000-memory.dmp

Filesize
3.3MB

Download
memory/2608-248-0x00007FF6EB6D0000-0x00007FF6EBA21000-memory.dmp

Filesize
3.3MB

Download
memory/2608-128-0x00007FF6EB6D0000-0x00007FF6EBA21000-memory.dmp

Filesize
3.3MB

Download
memory/2664-131-0x00007FF67AB80000-0x00007FF67AED1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-29-0x00007FF67AB80000-0x00007FF67AED1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-206-0x00007FF67AB80000-0x00007FF67AED1000-memory.dmp

Filesize
3.3MB

Download
memory/2844-96-0x00007FF7E62B0000-0x00007FF7E6601000-memory.dmp

Filesize
3.3MB

Download
memory/2844-241-0x00007FF7E62B0000-0x00007FF7E6601000-memory.dmp

Filesize
3.3MB

Download
memory/2852-254-0x00007FF7DCD40000-0x00007FF7DD091000-memory.dmp

Filesize
3.3MB

Download
memory/2852-150-0x00007FF7DCD40000-0x00007FF7DD091000-memory.dmp

Filesize
3.3MB

Download
memory/2852-116-0x00007FF7DCD40000-0x00007FF7DD091000-memory.dmp

Filesize
3.3MB

Download
memory/3768-122-0x00007FF671570000-0x00007FF6718C1000-memory.dmp

Filesize
3.3MB

Download
memory/3768-252-0x00007FF671570000-0x00007FF6718C1000-memory.dmp

Filesize
3.3MB

Download
memory/4024-112-0x00007FF633E00000-0x00007FF634151000-memory.dmp

Filesize
3.3MB

Download
memory/4024-238-0x00007FF633E00000-0x00007FF634151000-memory.dmp

Filesize
3.3MB

Download
memory/4164-23-0x00007FF7F1C00000-0x00007FF7F1F51000-memory.dmp

Filesize
3.3MB

Download
memory/4164-202-0x00007FF7F1C00000-0x00007FF7F1F51000-memory.dmp

Filesize
3.3MB

Download
memory/4236-232-0x00007FF7CD630000-0x00007FF7CD981000-memory.dmp

Filesize
3.3MB

Download
memory/4236-143-0x00007FF7CD630000-0x00007FF7CD981000-memory.dmp

Filesize
3.3MB

Download
memory/4236-59-0x00007FF7CD630000-0x00007FF7CD981000-memory.dmp

Filesize
3.3MB

Download
memory/4364-228-0x00007FF6A03B0000-0x00007FF6A0701000-memory.dmp

Filesize
3.3MB

Download
memory/4364-45-0x00007FF6A03B0000-0x00007FF6A0701000-memory.dmp

Filesize
3.3MB

Download
memory/4364-139-0x00007FF6A03B0000-0x00007FF6A0701000-memory.dmp

Filesize
3.3MB

Download
memory/4512-247-0x00007FF6D2D90000-0x00007FF6D30E1000-memory.dmp

Filesize
3.3MB

Download
memory/4512-129-0x00007FF6D2D90000-0x00007FF6D30E1000-memory.dmp

Filesize
3.3MB

Download
memory/4732-250-0x00007FF6805D0000-0x00007FF680921000-memory.dmp

Filesize
3.3MB

Download
memory/4732-117-0x00007FF6805D0000-0x00007FF680921000-memory.dmp

Filesize
3.3MB

Download
memory/4736-242-0x00007FF6BD240000-0x00007FF6BD591000-memory.dmp

Filesize
3.3MB

Download
memory/4736-111-0x00007FF6BD240000-0x00007FF6BD591000-memory.dmp

Filesize
3.3MB

Download
memory/4756-208-0x00007FF6E6BD0000-0x00007FF6E6F21000-memory.dmp

Filesize
3.3MB

Download
memory/4756-37-0x00007FF6E6BD0000-0x00007FF6E6F21000-memory.dmp

Filesize
3.3MB

Download
memory/4756-140-0x00007FF6E6BD0000-0x00007FF6E6F21000-memory.dmp

Filesize
3.3MB

Download
memory/4836-130-0x00007FF66CE70000-0x00007FF66D1C1000-memory.dmp

Filesize
3.3MB

Download
memory/4836-256-0x00007FF66CE70000-0x00007FF66D1C1000-memory.dmp

Filesize
3.3MB

Download