cobaltstrike | a214f0d5f1ac086d59f8f00ae6932bef5d0d3c862b1c61d99a28670018c4a867

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

d019a83b5d82dfd5b43a37c2e9167272
SHA1

54c0bcdcc31e109f9448fce9f369f512b85b7904
SHA256

a214f0d5f1ac086d59f8f00ae6932bef5d0d3c862b1c61d99a28670018c4a867
SHA512

77820c23b25f914971d9a6abb49779c4451079e660e69632b4249f112ff35b934f8af75b8a471550d0d8f1ff7c01c5cada4237ef75173a4bf9235bc5e28c6b45
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUa:Q+856utgpPF8u/7a

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002351f-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023523-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023524-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023525-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023526-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023527-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023528-41.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023520-45.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002352a-53.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002352c-62.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002352b-64.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002352d-72.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002352f-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023530-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023531-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023532-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023533-102.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023534-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023535-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023536-122.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022a48-126.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x000800000002351f-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023523-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023524-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023525-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023526-27.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023527-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023528-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023520-45.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002352a-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002352c-62.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002352b-64.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002352d-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002352f-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023530-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023531-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023532-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023533-102.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023534-108.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023535-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023536-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0002000000022a48-126.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3908-0-0x00007FF74C1C0000-0x00007FF74C514000-memory.dmp	UPX
behavioral2/files/0x000800000002351f-5.dat	UPX
behavioral2/memory/2280-8-0x00007FF67C030000-0x00007FF67C384000-memory.dmp	UPX
behavioral2/files/0x0007000000023523-10.dat	UPX
behavioral2/files/0x0007000000023524-11.dat	UPX
behavioral2/memory/3668-19-0x00007FF6FE340000-0x00007FF6FE694000-memory.dmp	UPX
behavioral2/files/0x0007000000023525-23.dat	UPX
behavioral2/files/0x0007000000023526-27.dat	UPX
behavioral2/memory/1620-33-0x00007FF6A70B0000-0x00007FF6A7404000-memory.dmp	UPX
behavioral2/memory/2812-34-0x00007FF6F5CD0000-0x00007FF6F6024000-memory.dmp	UPX
behavioral2/files/0x0007000000023527-36.dat	UPX
behavioral2/memory/4148-25-0x00007FF7848C0000-0x00007FF784C14000-memory.dmp	UPX
behavioral2/memory/4084-38-0x00007FF6C96D0000-0x00007FF6C9A24000-memory.dmp	UPX
behavioral2/files/0x0007000000023528-41.dat	UPX
behavioral2/memory/384-42-0x00007FF639FE0000-0x00007FF63A334000-memory.dmp	UPX
behavioral2/files/0x0008000000023520-45.dat	UPX
behavioral2/files/0x000700000002352a-53.dat	UPX
behavioral2/memory/4608-46-0x00007FF6A69E0000-0x00007FF6A6D34000-memory.dmp	UPX
behavioral2/memory/3852-56-0x00007FF6015E0000-0x00007FF601934000-memory.dmp	UPX
behavioral2/files/0x000700000002352c-62.dat	UPX
behavioral2/files/0x000700000002352b-64.dat	UPX
behavioral2/memory/3908-66-0x00007FF74C1C0000-0x00007FF74C514000-memory.dmp	UPX
behavioral2/memory/1684-68-0x00007FF77C3E0000-0x00007FF77C734000-memory.dmp	UPX
behavioral2/memory/4520-60-0x00007FF79A580000-0x00007FF79A8D4000-memory.dmp	UPX
behavioral2/files/0x000700000002352d-72.dat	UPX
behavioral2/files/0x000700000002352f-81.dat	UPX
behavioral2/files/0x0007000000023530-82.dat	UPX
behavioral2/memory/5008-79-0x00007FF601090000-0x00007FF6013E4000-memory.dmp	UPX
behavioral2/memory/2532-91-0x00007FF6049C0000-0x00007FF604D14000-memory.dmp	UPX
behavioral2/files/0x0007000000023531-92.dat	UPX
behavioral2/memory/4160-90-0x00007FF6221B0000-0x00007FF622504000-memory.dmp	UPX
behavioral2/memory/4252-86-0x00007FF7AA1D0000-0x00007FF7AA524000-memory.dmp	UPX
behavioral2/files/0x0007000000023532-97.dat	UPX
behavioral2/memory/4812-99-0x00007FF6B3E50000-0x00007FF6B41A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023533-102.dat	UPX
behavioral2/memory/4288-105-0x00007FF7385F0000-0x00007FF738944000-memory.dmp	UPX
behavioral2/files/0x0007000000023534-108.dat	UPX
behavioral2/memory/384-111-0x00007FF639FE0000-0x00007FF63A334000-memory.dmp	UPX
behavioral2/memory/5112-112-0x00007FF646050000-0x00007FF6463A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023535-116.dat	UPX
behavioral2/memory/4608-118-0x00007FF6A69E0000-0x00007FF6A6D34000-memory.dmp	UPX
behavioral2/memory/1488-119-0x00007FF72EB00000-0x00007FF72EE54000-memory.dmp	UPX
behavioral2/files/0x0007000000023536-122.dat	UPX
behavioral2/files/0x0002000000022a48-126.dat	UPX
behavioral2/memory/1772-129-0x00007FF746BC0000-0x00007FF746F14000-memory.dmp	UPX
behavioral2/memory/4520-131-0x00007FF79A580000-0x00007FF79A8D4000-memory.dmp	UPX
behavioral2/memory/5072-130-0x00007FF788DC0000-0x00007FF789114000-memory.dmp	UPX
behavioral2/memory/1684-132-0x00007FF77C3E0000-0x00007FF77C734000-memory.dmp	UPX
behavioral2/memory/5008-133-0x00007FF601090000-0x00007FF6013E4000-memory.dmp	UPX
behavioral2/memory/2532-134-0x00007FF6049C0000-0x00007FF604D14000-memory.dmp	UPX
behavioral2/memory/2280-135-0x00007FF67C030000-0x00007FF67C384000-memory.dmp	UPX
behavioral2/memory/3668-136-0x00007FF6FE340000-0x00007FF6FE694000-memory.dmp	UPX
behavioral2/memory/4148-137-0x00007FF7848C0000-0x00007FF784C14000-memory.dmp	UPX
behavioral2/memory/1620-138-0x00007FF6A70B0000-0x00007FF6A7404000-memory.dmp	UPX
behavioral2/memory/2812-139-0x00007FF6F5CD0000-0x00007FF6F6024000-memory.dmp	UPX
behavioral2/memory/4084-140-0x00007FF6C96D0000-0x00007FF6C9A24000-memory.dmp	UPX
behavioral2/memory/4608-141-0x00007FF6A69E0000-0x00007FF6A6D34000-memory.dmp	UPX
behavioral2/memory/384-142-0x00007FF639FE0000-0x00007FF63A334000-memory.dmp	UPX
behavioral2/memory/3852-143-0x00007FF6015E0000-0x00007FF601934000-memory.dmp	UPX
behavioral2/memory/1684-144-0x00007FF77C3E0000-0x00007FF77C734000-memory.dmp	UPX
behavioral2/memory/4520-145-0x00007FF79A580000-0x00007FF79A8D4000-memory.dmp	UPX
behavioral2/memory/5008-146-0x00007FF601090000-0x00007FF6013E4000-memory.dmp	UPX
behavioral2/memory/4252-147-0x00007FF7AA1D0000-0x00007FF7AA524000-memory.dmp	UPX
behavioral2/memory/4160-148-0x00007FF6221B0000-0x00007FF622504000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3908-0-0x00007FF74C1C0000-0x00007FF74C514000-memory.dmp	xmrig
behavioral2/files/0x000800000002351f-5.dat	xmrig
behavioral2/memory/2280-8-0x00007FF67C030000-0x00007FF67C384000-memory.dmp	xmrig
behavioral2/files/0x0007000000023523-10.dat	xmrig
behavioral2/files/0x0007000000023524-11.dat	xmrig
behavioral2/memory/3668-19-0x00007FF6FE340000-0x00007FF6FE694000-memory.dmp	xmrig
behavioral2/files/0x0007000000023525-23.dat	xmrig
behavioral2/files/0x0007000000023526-27.dat	xmrig
behavioral2/memory/1620-33-0x00007FF6A70B0000-0x00007FF6A7404000-memory.dmp	xmrig
behavioral2/memory/2812-34-0x00007FF6F5CD0000-0x00007FF6F6024000-memory.dmp	xmrig
behavioral2/files/0x0007000000023527-36.dat	xmrig
behavioral2/memory/4148-25-0x00007FF7848C0000-0x00007FF784C14000-memory.dmp	xmrig
behavioral2/memory/4084-38-0x00007FF6C96D0000-0x00007FF6C9A24000-memory.dmp	xmrig
behavioral2/files/0x0007000000023528-41.dat	xmrig
behavioral2/memory/384-42-0x00007FF639FE0000-0x00007FF63A334000-memory.dmp	xmrig
behavioral2/files/0x0008000000023520-45.dat	xmrig
behavioral2/files/0x000700000002352a-53.dat	xmrig
behavioral2/memory/4608-46-0x00007FF6A69E0000-0x00007FF6A6D34000-memory.dmp	xmrig
behavioral2/memory/3852-56-0x00007FF6015E0000-0x00007FF601934000-memory.dmp	xmrig
behavioral2/files/0x000700000002352c-62.dat	xmrig
behavioral2/files/0x000700000002352b-64.dat	xmrig
behavioral2/memory/3908-66-0x00007FF74C1C0000-0x00007FF74C514000-memory.dmp	xmrig
behavioral2/memory/1684-68-0x00007FF77C3E0000-0x00007FF77C734000-memory.dmp	xmrig
behavioral2/memory/4520-60-0x00007FF79A580000-0x00007FF79A8D4000-memory.dmp	xmrig
behavioral2/files/0x000700000002352d-72.dat	xmrig
behavioral2/files/0x000700000002352f-81.dat	xmrig
behavioral2/files/0x0007000000023530-82.dat	xmrig
behavioral2/memory/5008-79-0x00007FF601090000-0x00007FF6013E4000-memory.dmp	xmrig
behavioral2/memory/2532-91-0x00007FF6049C0000-0x00007FF604D14000-memory.dmp	xmrig
behavioral2/files/0x0007000000023531-92.dat	xmrig
behavioral2/memory/4160-90-0x00007FF6221B0000-0x00007FF622504000-memory.dmp	xmrig
behavioral2/memory/4252-86-0x00007FF7AA1D0000-0x00007FF7AA524000-memory.dmp	xmrig
behavioral2/files/0x0007000000023532-97.dat	xmrig
behavioral2/memory/4812-99-0x00007FF6B3E50000-0x00007FF6B41A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023533-102.dat	xmrig
behavioral2/memory/4288-105-0x00007FF7385F0000-0x00007FF738944000-memory.dmp	xmrig
behavioral2/files/0x0007000000023534-108.dat	xmrig
behavioral2/memory/384-111-0x00007FF639FE0000-0x00007FF63A334000-memory.dmp	xmrig
behavioral2/memory/5112-112-0x00007FF646050000-0x00007FF6463A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023535-116.dat	xmrig
behavioral2/memory/4608-118-0x00007FF6A69E0000-0x00007FF6A6D34000-memory.dmp	xmrig
behavioral2/memory/1488-119-0x00007FF72EB00000-0x00007FF72EE54000-memory.dmp	xmrig
behavioral2/files/0x0007000000023536-122.dat	xmrig
behavioral2/files/0x0002000000022a48-126.dat	xmrig
behavioral2/memory/1772-129-0x00007FF746BC0000-0x00007FF746F14000-memory.dmp	xmrig
behavioral2/memory/4520-131-0x00007FF79A580000-0x00007FF79A8D4000-memory.dmp	xmrig
behavioral2/memory/5072-130-0x00007FF788DC0000-0x00007FF789114000-memory.dmp	xmrig
behavioral2/memory/1684-132-0x00007FF77C3E0000-0x00007FF77C734000-memory.dmp	xmrig
behavioral2/memory/5008-133-0x00007FF601090000-0x00007FF6013E4000-memory.dmp	xmrig
behavioral2/memory/2532-134-0x00007FF6049C0000-0x00007FF604D14000-memory.dmp	xmrig
behavioral2/memory/2280-135-0x00007FF67C030000-0x00007FF67C384000-memory.dmp	xmrig
behavioral2/memory/3668-136-0x00007FF6FE340000-0x00007FF6FE694000-memory.dmp	xmrig
behavioral2/memory/4148-137-0x00007FF7848C0000-0x00007FF784C14000-memory.dmp	xmrig
behavioral2/memory/1620-138-0x00007FF6A70B0000-0x00007FF6A7404000-memory.dmp	xmrig
behavioral2/memory/2812-139-0x00007FF6F5CD0000-0x00007FF6F6024000-memory.dmp	xmrig
behavioral2/memory/4084-140-0x00007FF6C96D0000-0x00007FF6C9A24000-memory.dmp	xmrig
behavioral2/memory/4608-141-0x00007FF6A69E0000-0x00007FF6A6D34000-memory.dmp	xmrig
behavioral2/memory/384-142-0x00007FF639FE0000-0x00007FF63A334000-memory.dmp	xmrig
behavioral2/memory/3852-143-0x00007FF6015E0000-0x00007FF601934000-memory.dmp	xmrig
behavioral2/memory/1684-144-0x00007FF77C3E0000-0x00007FF77C734000-memory.dmp	xmrig
behavioral2/memory/4520-145-0x00007FF79A580000-0x00007FF79A8D4000-memory.dmp	xmrig
behavioral2/memory/5008-146-0x00007FF601090000-0x00007FF6013E4000-memory.dmp	xmrig
behavioral2/memory/4252-147-0x00007FF7AA1D0000-0x00007FF7AA524000-memory.dmp	xmrig
behavioral2/memory/4160-148-0x00007FF6221B0000-0x00007FF622504000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2280	ieuqLuF.exe
3668	OpEJRdl.exe
4148	gtxmDDC.exe
1620	fvjqiNf.exe
2812	ZwWPnHp.exe
4084	RAmtnxr.exe
384	AbypFcD.exe
4608	KoeGiWV.exe
3852	QGsfYLe.exe
4520	ksLoXIz.exe
1684	jdgTSld.exe
5008	beCDoqg.exe
4252	jUqbhYC.exe
4160	QHopuBR.exe
2532	RtRJJDo.exe
4812	GpQTzwj.exe
4288	fjKBNEq.exe
5112	BueaZof.exe
1488	HKptvbP.exe
1772	tScoKRT.exe
5072	hgFUZyh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3908-0-0x00007FF74C1C0000-0x00007FF74C514000-memory.dmp	upx
behavioral2/files/0x000800000002351f-5.dat	upx
behavioral2/memory/2280-8-0x00007FF67C030000-0x00007FF67C384000-memory.dmp	upx
behavioral2/files/0x0007000000023523-10.dat	upx
behavioral2/files/0x0007000000023524-11.dat	upx
behavioral2/memory/3668-19-0x00007FF6FE340000-0x00007FF6FE694000-memory.dmp	upx
behavioral2/files/0x0007000000023525-23.dat	upx
behavioral2/files/0x0007000000023526-27.dat	upx
behavioral2/memory/1620-33-0x00007FF6A70B0000-0x00007FF6A7404000-memory.dmp	upx
behavioral2/memory/2812-34-0x00007FF6F5CD0000-0x00007FF6F6024000-memory.dmp	upx
behavioral2/files/0x0007000000023527-36.dat	upx
behavioral2/memory/4148-25-0x00007FF7848C0000-0x00007FF784C14000-memory.dmp	upx
behavioral2/memory/4084-38-0x00007FF6C96D0000-0x00007FF6C9A24000-memory.dmp	upx
behavioral2/files/0x0007000000023528-41.dat	upx
behavioral2/memory/384-42-0x00007FF639FE0000-0x00007FF63A334000-memory.dmp	upx
behavioral2/files/0x0008000000023520-45.dat	upx
behavioral2/files/0x000700000002352a-53.dat	upx
behavioral2/memory/4608-46-0x00007FF6A69E0000-0x00007FF6A6D34000-memory.dmp	upx
behavioral2/memory/3852-56-0x00007FF6015E0000-0x00007FF601934000-memory.dmp	upx
behavioral2/files/0x000700000002352c-62.dat	upx
behavioral2/files/0x000700000002352b-64.dat	upx
behavioral2/memory/3908-66-0x00007FF74C1C0000-0x00007FF74C514000-memory.dmp	upx
behavioral2/memory/1684-68-0x00007FF77C3E0000-0x00007FF77C734000-memory.dmp	upx
behavioral2/memory/4520-60-0x00007FF79A580000-0x00007FF79A8D4000-memory.dmp	upx
behavioral2/files/0x000700000002352d-72.dat	upx
behavioral2/files/0x000700000002352f-81.dat	upx
behavioral2/files/0x0007000000023530-82.dat	upx
behavioral2/memory/5008-79-0x00007FF601090000-0x00007FF6013E4000-memory.dmp	upx
behavioral2/memory/2532-91-0x00007FF6049C0000-0x00007FF604D14000-memory.dmp	upx
behavioral2/files/0x0007000000023531-92.dat	upx
behavioral2/memory/4160-90-0x00007FF6221B0000-0x00007FF622504000-memory.dmp	upx
behavioral2/memory/4252-86-0x00007FF7AA1D0000-0x00007FF7AA524000-memory.dmp	upx
behavioral2/files/0x0007000000023532-97.dat	upx
behavioral2/memory/4812-99-0x00007FF6B3E50000-0x00007FF6B41A4000-memory.dmp	upx
behavioral2/files/0x0007000000023533-102.dat	upx
behavioral2/memory/4288-105-0x00007FF7385F0000-0x00007FF738944000-memory.dmp	upx
behavioral2/files/0x0007000000023534-108.dat	upx
behavioral2/memory/384-111-0x00007FF639FE0000-0x00007FF63A334000-memory.dmp	upx
behavioral2/memory/5112-112-0x00007FF646050000-0x00007FF6463A4000-memory.dmp	upx
behavioral2/files/0x0007000000023535-116.dat	upx
behavioral2/memory/4608-118-0x00007FF6A69E0000-0x00007FF6A6D34000-memory.dmp	upx
behavioral2/memory/1488-119-0x00007FF72EB00000-0x00007FF72EE54000-memory.dmp	upx
behavioral2/files/0x0007000000023536-122.dat	upx
behavioral2/files/0x0002000000022a48-126.dat	upx
behavioral2/memory/1772-129-0x00007FF746BC0000-0x00007FF746F14000-memory.dmp	upx
behavioral2/memory/4520-131-0x00007FF79A580000-0x00007FF79A8D4000-memory.dmp	upx
behavioral2/memory/5072-130-0x00007FF788DC0000-0x00007FF789114000-memory.dmp	upx
behavioral2/memory/1684-132-0x00007FF77C3E0000-0x00007FF77C734000-memory.dmp	upx
behavioral2/memory/5008-133-0x00007FF601090000-0x00007FF6013E4000-memory.dmp	upx
behavioral2/memory/2532-134-0x00007FF6049C0000-0x00007FF604D14000-memory.dmp	upx
behavioral2/memory/2280-135-0x00007FF67C030000-0x00007FF67C384000-memory.dmp	upx
behavioral2/memory/3668-136-0x00007FF6FE340000-0x00007FF6FE694000-memory.dmp	upx
behavioral2/memory/4148-137-0x00007FF7848C0000-0x00007FF784C14000-memory.dmp	upx
behavioral2/memory/1620-138-0x00007FF6A70B0000-0x00007FF6A7404000-memory.dmp	upx
behavioral2/memory/2812-139-0x00007FF6F5CD0000-0x00007FF6F6024000-memory.dmp	upx
behavioral2/memory/4084-140-0x00007FF6C96D0000-0x00007FF6C9A24000-memory.dmp	upx
behavioral2/memory/4608-141-0x00007FF6A69E0000-0x00007FF6A6D34000-memory.dmp	upx
behavioral2/memory/384-142-0x00007FF639FE0000-0x00007FF63A334000-memory.dmp	upx
behavioral2/memory/3852-143-0x00007FF6015E0000-0x00007FF601934000-memory.dmp	upx
behavioral2/memory/1684-144-0x00007FF77C3E0000-0x00007FF77C734000-memory.dmp	upx
behavioral2/memory/4520-145-0x00007FF79A580000-0x00007FF79A8D4000-memory.dmp	upx
behavioral2/memory/5008-146-0x00007FF601090000-0x00007FF6013E4000-memory.dmp	upx
behavioral2/memory/4252-147-0x00007FF7AA1D0000-0x00007FF7AA524000-memory.dmp	upx
behavioral2/memory/4160-148-0x00007FF6221B0000-0x00007FF622504000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\RtRJJDo.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tScoKRT.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZwWPnHp.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RAmtnxr.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jdgTSld.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fjKBNEq.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BueaZof.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hgFUZyh.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AbypFcD.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ksLoXIz.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QHopuBR.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HKptvbP.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ieuqLuF.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OpEJRdl.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gtxmDDC.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\beCDoqg.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jUqbhYC.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GpQTzwj.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fvjqiNf.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KoeGiWV.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QGsfYLe.exe	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 2280	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	92
PID 3908 wrote to memory of 2280	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	92
PID 3908 wrote to memory of 3668	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	93
PID 3908 wrote to memory of 3668	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	93
PID 3908 wrote to memory of 4148	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	94
PID 3908 wrote to memory of 4148	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	94
PID 3908 wrote to memory of 1620	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	95
PID 3908 wrote to memory of 1620	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	95
PID 3908 wrote to memory of 2812	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	96
PID 3908 wrote to memory of 2812	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	96
PID 3908 wrote to memory of 4084	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	97
PID 3908 wrote to memory of 4084	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	97
PID 3908 wrote to memory of 384	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	98
PID 3908 wrote to memory of 384	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	98
PID 3908 wrote to memory of 4608	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	99
PID 3908 wrote to memory of 4608	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	99
PID 3908 wrote to memory of 3852	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	100
PID 3908 wrote to memory of 3852	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	100
PID 3908 wrote to memory of 4520	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	101
PID 3908 wrote to memory of 4520	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	101
PID 3908 wrote to memory of 1684	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	103
PID 3908 wrote to memory of 1684	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	103
PID 3908 wrote to memory of 5008	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	104
PID 3908 wrote to memory of 5008	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	104
PID 3908 wrote to memory of 4160	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	105
PID 3908 wrote to memory of 4160	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	105
PID 3908 wrote to memory of 4252	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	106
PID 3908 wrote to memory of 4252	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	106
PID 3908 wrote to memory of 2532	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	107
PID 3908 wrote to memory of 2532	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	107
PID 3908 wrote to memory of 4812	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	109
PID 3908 wrote to memory of 4812	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	109
PID 3908 wrote to memory of 4288	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	110
PID 3908 wrote to memory of 4288	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	110
PID 3908 wrote to memory of 5112	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	112
PID 3908 wrote to memory of 5112	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	112
PID 3908 wrote to memory of 1488	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	113
PID 3908 wrote to memory of 1488	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	113
PID 3908 wrote to memory of 1772	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	116
PID 3908 wrote to memory of 1772	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	116
PID 3908 wrote to memory of 5072	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	117
PID 3908 wrote to memory of 5072	3908	2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe	117

C:\Users\Admin\AppData\Local\Temp\2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_d019a83b5d82dfd5b43a37c2e9167272_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\System\ieuqLuF.exe
  C:\Windows\System\ieuqLuF.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\OpEJRdl.exe
  C:\Windows\System\OpEJRdl.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\gtxmDDC.exe
  C:\Windows\System\gtxmDDC.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\fvjqiNf.exe
  C:\Windows\System\fvjqiNf.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System\ZwWPnHp.exe
  C:\Windows\System\ZwWPnHp.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\RAmtnxr.exe
  C:\Windows\System\RAmtnxr.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System\AbypFcD.exe
  C:\Windows\System\AbypFcD.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\KoeGiWV.exe
  C:\Windows\System\KoeGiWV.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\QGsfYLe.exe
  C:\Windows\System\QGsfYLe.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System\ksLoXIz.exe
  C:\Windows\System\ksLoXIz.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\jdgTSld.exe
  C:\Windows\System\jdgTSld.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\beCDoqg.exe
  C:\Windows\System\beCDoqg.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\QHopuBR.exe
  C:\Windows\System\QHopuBR.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System\jUqbhYC.exe
  C:\Windows\System\jUqbhYC.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System\RtRJJDo.exe
  C:\Windows\System\RtRJJDo.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\GpQTzwj.exe
  C:\Windows\System\GpQTzwj.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\fjKBNEq.exe
  C:\Windows\System\fjKBNEq.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System\BueaZof.exe
  C:\Windows\System\BueaZof.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\HKptvbP.exe
  C:\Windows\System\HKptvbP.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\tScoKRT.exe
  C:\Windows\System\tScoKRT.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System\hgFUZyh.exe
  C:\Windows\System\hgFUZyh.exe
  2⤵
  - Executes dropped EXE
  PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8
1⤵
PID:2888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AbypFcD.exe

Filesize
5.9MB

MD5
8197342349388299f155d408ed3db88b

SHA1
72fdae46b77056e8fcf24d378833a5a50f905d16

SHA256
8e89fef934424eaa5b2d4aa53bf3c0d2d8f11fad46c57b8fb85b30f65589e7f3

SHA512
e2f2ffe9c4cc0b1b69d03cb8c6a4957754f8551f83c929d2847882f75fd908a442d720a00c7a0789a98b04136b6e258d5326b68ed9668ff0819d95d22a855255

Download Submit
C:\Windows\System\BueaZof.exe

Filesize
5.9MB

MD5
ffe2e1ba3aa832e031be21c7555e13b4

SHA1
3dffbf2c1326230e2bd05aa4a8ab96c2f10e5945

SHA256
e4d1b32129ad1fef75a2e2cec683e7bbeccfed661cb369b0145359a8bfa06213

SHA512
231b3606f082d978c88467453e107aa0cb58e4782a355fa0eb6531cd43c32bda6d55a90fae08495e78a027a133f86d49d967417555f76ccfcb8d1b223d787bcb

Download Submit
C:\Windows\System\GpQTzwj.exe

Filesize
5.9MB

MD5
2a34bd86d82d63efe9690336d02da7b6

SHA1
cf4ac2e67e17fd1dd2781c80212c966be5385e7f

SHA256
7b2f412a354f20a16aa98bbc9c8d06274d6d8415775bfe9d03e7559a072851c5

SHA512
dc4265ac8831c2d8e6db09e0803073c2582cc4c8aead790102111dc35cb55403800159e554a047b9544678056e0cb41f254f5865bf7547d10401b0f0b880c4b4

Download Submit
C:\Windows\System\HKptvbP.exe

Filesize
5.9MB

MD5
2f524c42f5ae6b90c32cc46a3d78663b

SHA1
747e47ce0cab101f357ed92886149af14c3458ed

SHA256
9e37f86a4da16e603238759667671d6beab23ca8cc2b5ab53fb4587fbe73c0a8

SHA512
3cc07fdac375db5d16e9faff48f200278fb6738e7a633e3ed11ff8115de3c89731b1ee6f18d913bf7716c8da7532945038bb03d69eabf1736cc300e641411c5f

Download Submit
C:\Windows\System\KoeGiWV.exe

Filesize
5.9MB

MD5
2c1bdf00c786cdd2cbb12bfaa3afaddd

SHA1
fb4ef8eee88b471a8d23621dd1eec54431e9519b

SHA256
8d5499de03b2bec52c50d49998cec6b710e06180b2733afba3920f6a29566477

SHA512
0fc3d74d16ede91072fab41ca0d87d006e2e0cac3ab516b01217dc429870a3f59aa7e10880a4712e4942e5d5ba5f85bafc418ce9bcb51d4db2776c5e8bbf02dc

Download Submit
C:\Windows\System\OpEJRdl.exe

Filesize
5.9MB

MD5
65bd1678181d49c0ba859b47a996bf51

SHA1
7422763039a0b8aa01ea8494771e5e3a0270b7a3

SHA256
aad400babbc0eb034d0e66c354ba572db0a00b5c737eb84eac9d2e36e97a8aab

SHA512
eec5809e20391ab1dccaaecb1f3e74f9fdaac937fdda1280d0a242648beefe4bc3bb9dcbb8aa269c638411f2b5a5d04c7e47754d0cc67628647fc1ef6b6b190f

Download Submit
C:\Windows\System\QGsfYLe.exe

Filesize
5.9MB

MD5
cbbc30e67164df322944bbf2c3b470d4

SHA1
5d3bb2c840dd82e29016a902d0fa395a99c3fed7

SHA256
d8808a4f1d16e6d1ad25596992ebc4ae38741873750a39a9cef594cb2134e5b1

SHA512
2daba6cb2251343ff9dec031e20ddf572e0f224a540533cc616de0271e31aca413aa4d58f74a1c5ed669b2a43f2123c2700dbfe24f93d2031f868505df93b44a

Download Submit
C:\Windows\System\QHopuBR.exe

Filesize
5.9MB

MD5
fd65d451231ae7ec220a981ff9e38a72

SHA1
9aa260d4f19a02a4cf9ee486869b9f51734622fb

SHA256
93857cae387fdab26f3c199afdbc29e20fbf1d7be30a4a47fcf321350a5e9f82

SHA512
6814de525833e3bd55aa7474178be27b053af4cc91eae4c151301f16b27e8657f5fedc004090ef98655364a567d34675118e5428c5d0410506bea5d281ca752c

Download Submit
C:\Windows\System\RAmtnxr.exe

Filesize
5.9MB

MD5
adfc734e70480bdde58434ec95817659

SHA1
234f8755576f349074654d78383100438e65ff73

SHA256
cd3d29f4b23c9bd0a99f508a22eb157bfdde1574aca2fc3c98d44e05a90a4b21

SHA512
830550d6a00a68df3acbf71fb7a355e4fd7099bdd3696de7749301e92979d76bcdc20317075d4c404b270e68901d7b7bd17e57b66923233cd563b2acf463c32d

Download Submit
C:\Windows\System\RtRJJDo.exe

Filesize
5.9MB

MD5
bb9879dffb92537028769a849007364f

SHA1
ed371b106f2798770ccdac0be44b413976a2c10f

SHA256
0a5f52e836acae83dd71bf56281c2fa1267c9d8fb8b58a14e47b997a34fc64c7

SHA512
ab0a5d7fb44a83c0c21336f7e38172c3fb86a11799d109133064e6b40f7fba51a8eceb7ecaa5acdc5afa912c92cf6996a67733fce7b279b79bf89901da3e3a00

Download Submit
C:\Windows\System\ZwWPnHp.exe

Filesize
5.9MB

MD5
86fd4fac5770a027c21b6053222915fc

SHA1
b6acafc35b6efeaa48d1cbf156622c39d69a8c92

SHA256
38228dac5a724268a97529fd0c0e268ecfb6e032496477204ff833d99213b697

SHA512
2e3f3114482d795e32e7cf48bfde8bd3abbf84bbefae34c074dd777e028be19978cdbd5317994cfb3946b78bdbfeb0820e4ea2a885a0489128bc3bd723b03b92

Download Submit
C:\Windows\System\beCDoqg.exe

Filesize
5.9MB

MD5
ac9ea53a9db52053071215cf4e359904

SHA1
444ec28b2cf549fb13d8fea99aa5ea58e3eba629

SHA256
98f3d762d181064d182280d5f55ca757b9c8ce749ccdd6396fd1991b8bfe2138

SHA512
b1e7862c5189510b6df985b169deb63b5819cc2a4e8cce50a7ca72d360050d847708c258a8547a65f2e2979c03741ef4f230d52bb7a8ee73d5794164e606c2f5

Download Submit
C:\Windows\System\fjKBNEq.exe

Filesize
5.9MB

MD5
22eeff9a60540350084c3c7d96b34aab

SHA1
bf20a548798bf23fc7c18f0481a350cbe608b30c

SHA256
085035528458375996745d3249324bc54470737134124267e56a9bba383a3825

SHA512
9eb47b21c297df6f37b8d0a4d43ca839dd1d4b60c5faf773b0d906c916ed9e443f50151d348a5212ad9e71000673ee62cb695976db2c5695fba04784b9907bbb

Download Submit
C:\Windows\System\fvjqiNf.exe

Filesize
5.9MB

MD5
4720d74afed5fa9b7701036f08afd2f7

SHA1
a874afe89e40c55fcde498e86cd34768252b346a

SHA256
4798aefd51d1bf92cff6e6288c7f3ee990530b6975d5bcc45a37a416a11c9ea0

SHA512
58924ee545d8886f1a73a9b1fde9310232a2b179d0a64822f91d01af2a6580892620ade32190a95e573028ec2b7934f9552e1b0ca2b6e14f6975bea49572ea13

Download Submit
C:\Windows\System\gtxmDDC.exe

Filesize
5.9MB

MD5
325f3b45de0d894527749d371dd005a1

SHA1
637cdeaced427d45e7818251dadfd1106153a8ad

SHA256
9a3d0e59cfa5631a54a772d832513bfb092149df7450babbb4e3fa4a0202dee6

SHA512
9ee2ea3976f531827869a65ab3248d819e26d2d7648040beb4b5934ed5a7e1f194d740c509a2a93dd1d1c619cdc58a2cf8f0f36e526f78ee98880e67f34b8bb7

Download Submit
C:\Windows\System\hgFUZyh.exe

Filesize
5.9MB

MD5
569cfd6a39f08739fac392a44f4a9898

SHA1
f875b187ed5509947b9e78888837a842a30294ab

SHA256
013bc1ad101e406ae6d2881d6ef3e975a5f0d2cc59bb3a2c4131a09e062326b0

SHA512
7d0a5a67358567b3f26b876af945e4dcdb727fb43a1da55ef427489594e4df087a536c0126f7f5d96877e7d22981be5f7ddec44a23a627302a27c2b668288b6d

Download Submit
C:\Windows\System\ieuqLuF.exe

Filesize
5.9MB

MD5
a5a37b293bbb096786bc9000e9aabe51

SHA1
ba9d655e2b89376ef1aab7bf695fa9c2ffde18a9

SHA256
684f3aeb67fa55cbe36d56380344f606c254ee0375082bac99b1a33bf97e540f

SHA512
7adc998e20a5545f1629a55b48e09e7c51fbbfd761f66da44bdc69e66028d4ec36e97a3502ff2aca153d4b70ae0c9551353c72f606af93f5cd56bc880841fbe6

Download Submit
C:\Windows\System\jUqbhYC.exe

Filesize
5.9MB

MD5
5572582b1862586a4e4049ec58b68d6c

SHA1
b499b6d2435d264ea50ac1554fa93cdc91cae24f

SHA256
c9ac00b68ac01f9bd944bb3a1bc3daeb5c5c809a90b34666d0d96f794a1c0199

SHA512
7d22a8b507ae9f3ddffe5c18703b685e22b845b2cbd398d1f826d3b6f2cd0ba4d5853204f7417508a42a7861ea8e77e81db3ea94153da57a8abf043ae54e94f7

Download Submit
C:\Windows\System\jdgTSld.exe

Filesize
5.9MB

MD5
f3545b1ffc6b2cb281e73e7256240583

SHA1
09da5428e2478d7c3212589c09f93487e86d1729

SHA256
8f297e2677f157652e64f1b3c59062b0e1125fb081eb4cb28d68a7a3fbdaa8e6

SHA512
4318903a8ed14385d333c99bd2ba8b11af93c0d27a03e0f84bd6f08b3600273d6aab54b48251c33469d44d1e1a1a0e77fcfb07df13ceebe7ec88a2fe489d3df6

Download Submit
C:\Windows\System\ksLoXIz.exe

Filesize
5.9MB

MD5
fb4eba6234ee798fbcc8b65b551d94ac

SHA1
20c1e6953862be127156e42ae897c081ceed4fcc

SHA256
21d9b27a2db601d43833de45833f58ceef94f69532f9088b56a4af61e5ddfe67

SHA512
94487ae114c87f69b85b1d1a54de5c9dc25adc0f1dfa5312bc32c2178f3c823315bb0664e3f8c9cb27a4f64cd2a4894783175d297021699ff644bff2e62c876d

Download Submit
C:\Windows\System\tScoKRT.exe

Filesize
5.9MB

MD5
8f60b8a7b589183c2772d9bf4d2fdd71

SHA1
a31e242ca64957e69d27a723211f6f697898c87c

SHA256
afa6231d049987cd577bb1d42490c9663cc934c86ece8c79a22bbd25e8d4119c

SHA512
63346fe6355b140e63a7788ec05691cb10e7b4431f08ca1783c742ace80d5938a0a79f3ee4b487f065936cf00edc41c0cb55857971dfe812b95c8c734eb9437b

Download Submit
memory/384-142-0x00007FF639FE0000-0x00007FF63A334000-memory.dmp

Filesize
3.3MB

Download
memory/384-42-0x00007FF639FE0000-0x00007FF63A334000-memory.dmp

Filesize
3.3MB

Download
memory/384-111-0x00007FF639FE0000-0x00007FF63A334000-memory.dmp

Filesize
3.3MB

Download
memory/1488-153-0x00007FF72EB00000-0x00007FF72EE54000-memory.dmp

Filesize
3.3MB

Download
memory/1488-119-0x00007FF72EB00000-0x00007FF72EE54000-memory.dmp

Filesize
3.3MB

Download
memory/1620-33-0x00007FF6A70B0000-0x00007FF6A7404000-memory.dmp

Filesize
3.3MB

Download
memory/1620-138-0x00007FF6A70B0000-0x00007FF6A7404000-memory.dmp

Filesize
3.3MB

Download
memory/1684-132-0x00007FF77C3E0000-0x00007FF77C734000-memory.dmp

Filesize
3.3MB

Download
memory/1684-68-0x00007FF77C3E0000-0x00007FF77C734000-memory.dmp

Filesize
3.3MB

Download
memory/1684-144-0x00007FF77C3E0000-0x00007FF77C734000-memory.dmp

Filesize
3.3MB

Download
memory/1772-129-0x00007FF746BC0000-0x00007FF746F14000-memory.dmp

Filesize
3.3MB

Download
memory/1772-154-0x00007FF746BC0000-0x00007FF746F14000-memory.dmp

Filesize
3.3MB

Download
memory/2280-135-0x00007FF67C030000-0x00007FF67C384000-memory.dmp

Filesize
3.3MB

Download
memory/2280-8-0x00007FF67C030000-0x00007FF67C384000-memory.dmp

Filesize
3.3MB

Download
memory/2532-91-0x00007FF6049C0000-0x00007FF604D14000-memory.dmp

Filesize
3.3MB

Download
memory/2532-134-0x00007FF6049C0000-0x00007FF604D14000-memory.dmp

Filesize
3.3MB

Download
memory/2532-149-0x00007FF6049C0000-0x00007FF604D14000-memory.dmp

Filesize
3.3MB

Download
memory/2812-139-0x00007FF6F5CD0000-0x00007FF6F6024000-memory.dmp

Filesize
3.3MB

Download
memory/2812-34-0x00007FF6F5CD0000-0x00007FF6F6024000-memory.dmp

Filesize
3.3MB

Download
memory/3668-19-0x00007FF6FE340000-0x00007FF6FE694000-memory.dmp

Filesize
3.3MB

Download
memory/3668-136-0x00007FF6FE340000-0x00007FF6FE694000-memory.dmp

Filesize
3.3MB

Download
memory/3852-56-0x00007FF6015E0000-0x00007FF601934000-memory.dmp

Filesize
3.3MB

Download
memory/3852-143-0x00007FF6015E0000-0x00007FF601934000-memory.dmp

Filesize
3.3MB

Download
memory/3908-0-0x00007FF74C1C0000-0x00007FF74C514000-memory.dmp

Filesize
3.3MB

Download
memory/3908-1-0x0000018F3B350000-0x0000018F3B360000-memory.dmp

Filesize
64KB

Download
memory/3908-66-0x00007FF74C1C0000-0x00007FF74C514000-memory.dmp

Filesize
3.3MB

Download
memory/4084-140-0x00007FF6C96D0000-0x00007FF6C9A24000-memory.dmp

Filesize
3.3MB

Download
memory/4084-38-0x00007FF6C96D0000-0x00007FF6C9A24000-memory.dmp

Filesize
3.3MB

Download
memory/4148-137-0x00007FF7848C0000-0x00007FF784C14000-memory.dmp

Filesize
3.3MB

Download
memory/4148-25-0x00007FF7848C0000-0x00007FF784C14000-memory.dmp

Filesize
3.3MB

Download
memory/4160-90-0x00007FF6221B0000-0x00007FF622504000-memory.dmp

Filesize
3.3MB

Download
memory/4160-148-0x00007FF6221B0000-0x00007FF622504000-memory.dmp

Filesize
3.3MB

Download
memory/4252-147-0x00007FF7AA1D0000-0x00007FF7AA524000-memory.dmp

Filesize
3.3MB

Download
memory/4252-86-0x00007FF7AA1D0000-0x00007FF7AA524000-memory.dmp

Filesize
3.3MB

Download
memory/4288-105-0x00007FF7385F0000-0x00007FF738944000-memory.dmp

Filesize
3.3MB

Download
memory/4288-151-0x00007FF7385F0000-0x00007FF738944000-memory.dmp

Filesize
3.3MB

Download
memory/4520-60-0x00007FF79A580000-0x00007FF79A8D4000-memory.dmp

Filesize
3.3MB

Download
memory/4520-131-0x00007FF79A580000-0x00007FF79A8D4000-memory.dmp

Filesize
3.3MB

Download
memory/4520-145-0x00007FF79A580000-0x00007FF79A8D4000-memory.dmp

Filesize
3.3MB

Download
memory/4608-141-0x00007FF6A69E0000-0x00007FF6A6D34000-memory.dmp

Filesize
3.3MB

Download
memory/4608-118-0x00007FF6A69E0000-0x00007FF6A6D34000-memory.dmp

Filesize
3.3MB

Download
memory/4608-46-0x00007FF6A69E0000-0x00007FF6A6D34000-memory.dmp

Filesize
3.3MB

Download
memory/4812-99-0x00007FF6B3E50000-0x00007FF6B41A4000-memory.dmp

Filesize
3.3MB

Download
memory/4812-150-0x00007FF6B3E50000-0x00007FF6B41A4000-memory.dmp

Filesize
3.3MB

Download
memory/5008-146-0x00007FF601090000-0x00007FF6013E4000-memory.dmp

Filesize
3.3MB

Download
memory/5008-79-0x00007FF601090000-0x00007FF6013E4000-memory.dmp

Filesize
3.3MB

Download
memory/5008-133-0x00007FF601090000-0x00007FF6013E4000-memory.dmp

Filesize
3.3MB

Download
memory/5072-130-0x00007FF788DC0000-0x00007FF789114000-memory.dmp

Filesize
3.3MB

Download
memory/5072-155-0x00007FF788DC0000-0x00007FF789114000-memory.dmp

Filesize
3.3MB

Download
memory/5112-112-0x00007FF646050000-0x00007FF6463A4000-memory.dmp

Filesize
3.3MB

Download
memory/5112-152-0x00007FF646050000-0x00007FF6463A4000-memory.dmp

Filesize
3.3MB

Download