cobaltstrike | 3c3fc6226215c67c9930a48aba0e7d1f78b3c7fef2e536c69d5c0ee72dba480a

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

331d709d14967e321553b9ddfb2a4d1c
SHA1

11268077514ba43e1d44254c0d249f0c17348f9e
SHA256

3c3fc6226215c67c9930a48aba0e7d1f78b3c7fef2e536c69d5c0ee72dba480a
SHA512

a6ae3936e2bc54c3fffd5f7894165e5328e48fe9386967e3a3636b69f7ab92e9e6f044f54f07d77f0e74416011319daaa449bf8961cd44fd1ca2c8ccc8860e16
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU8:Q+856utgpPF8u/78

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000b000000023214-4.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002323d-10.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002323b-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002323e-24.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002323f-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023241-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023242-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023243-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023245-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023246-60.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023247-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023248-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023249-80.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002324a-85.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002324b-91.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002324c-99.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002324d-104.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002324e-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023250-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023251-123.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e32b-128.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023214-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002323d-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002323b-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002323e-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002323f-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023241-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023242-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023243-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023245-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023246-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023247-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023248-71.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023249-80.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002324a-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002324b-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002324c-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002324d-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002324e-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023250-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023251-123.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000200000001e32b-128.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3968-0-0x00007FF7F8ED0000-0x00007FF7F9224000-memory.dmp	UPX
behavioral2/files/0x000b000000023214-4.dat	UPX
behavioral2/memory/568-8-0x00007FF77B6D0000-0x00007FF77BA24000-memory.dmp	UPX
behavioral2/files/0x000800000002323d-10.dat	UPX
behavioral2/memory/4816-14-0x00007FF609790000-0x00007FF609AE4000-memory.dmp	UPX
behavioral2/files/0x000800000002323b-11.dat	UPX
behavioral2/files/0x000700000002323e-24.dat	UPX
behavioral2/memory/3976-26-0x00007FF7BA0C0000-0x00007FF7BA414000-memory.dmp	UPX
behavioral2/memory/1156-20-0x00007FF7AD1D0000-0x00007FF7AD524000-memory.dmp	UPX
behavioral2/files/0x000700000002323f-28.dat	UPX
behavioral2/memory/4304-30-0x00007FF769610000-0x00007FF769964000-memory.dmp	UPX
behavioral2/files/0x0007000000023241-35.dat	UPX
behavioral2/memory/4896-38-0x00007FF71A670000-0x00007FF71A9C4000-memory.dmp	UPX
behavioral2/files/0x0007000000023242-41.dat	UPX
behavioral2/memory/1724-44-0x00007FF74D450000-0x00007FF74D7A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023243-46.dat	UPX
behavioral2/memory/2168-50-0x00007FF724D50000-0x00007FF7250A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023245-54.dat	UPX
behavioral2/memory/2100-56-0x00007FF744CE0000-0x00007FF745034000-memory.dmp	UPX
behavioral2/files/0x0007000000023246-60.dat	UPX
behavioral2/memory/3968-62-0x00007FF7F8ED0000-0x00007FF7F9224000-memory.dmp	UPX
behavioral2/memory/1048-63-0x00007FF707550000-0x00007FF7078A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023247-65.dat	UPX
behavioral2/memory/3852-69-0x00007FF654290000-0x00007FF6545E4000-memory.dmp	UPX
behavioral2/files/0x0007000000023248-71.dat	UPX
behavioral2/memory/4816-75-0x00007FF609790000-0x00007FF609AE4000-memory.dmp	UPX
behavioral2/memory/2288-76-0x00007FF7AA000000-0x00007FF7AA354000-memory.dmp	UPX
behavioral2/files/0x0007000000023249-80.dat	UPX
behavioral2/memory/3972-82-0x00007FF6816D0000-0x00007FF681A24000-memory.dmp	UPX
behavioral2/files/0x000700000002324a-85.dat	UPX
behavioral2/memory/2272-88-0x00007FF68E340000-0x00007FF68E694000-memory.dmp	UPX
behavioral2/files/0x000700000002324b-91.dat	UPX
behavioral2/memory/4304-92-0x00007FF769610000-0x00007FF769964000-memory.dmp	UPX
behavioral2/memory/1820-95-0x00007FF792F90000-0x00007FF7932E4000-memory.dmp	UPX
behavioral2/files/0x000700000002324c-99.dat	UPX
behavioral2/memory/1712-101-0x00007FF6FB580000-0x00007FF6FB8D4000-memory.dmp	UPX
behavioral2/files/0x000700000002324d-104.dat	UPX
behavioral2/memory/1724-105-0x00007FF74D450000-0x00007FF74D7A4000-memory.dmp	UPX
behavioral2/memory/2252-106-0x00007FF68D060000-0x00007FF68D3B4000-memory.dmp	UPX
behavioral2/files/0x000700000002324e-112.dat	UPX
behavioral2/files/0x0007000000023250-116.dat	UPX
behavioral2/memory/720-119-0x00007FF7F0EA0000-0x00007FF7F11F4000-memory.dmp	UPX
behavioral2/files/0x0007000000023251-123.dat	UPX
behavioral2/memory/2100-125-0x00007FF744CE0000-0x00007FF745034000-memory.dmp	UPX
behavioral2/files/0x000200000001e32b-128.dat	UPX
behavioral2/memory/3164-126-0x00007FF797BB0000-0x00007FF797F04000-memory.dmp	UPX
behavioral2/memory/808-129-0x00007FF7EE720000-0x00007FF7EEA74000-memory.dmp	UPX
behavioral2/memory/3888-132-0x00007FF69C9D0000-0x00007FF69CD24000-memory.dmp	UPX
behavioral2/memory/1820-133-0x00007FF792F90000-0x00007FF7932E4000-memory.dmp	UPX
behavioral2/memory/2252-134-0x00007FF68D060000-0x00007FF68D3B4000-memory.dmp	UPX
behavioral2/memory/568-135-0x00007FF77B6D0000-0x00007FF77BA24000-memory.dmp	UPX
behavioral2/memory/4816-136-0x00007FF609790000-0x00007FF609AE4000-memory.dmp	UPX
behavioral2/memory/1156-137-0x00007FF7AD1D0000-0x00007FF7AD524000-memory.dmp	UPX
behavioral2/memory/3976-138-0x00007FF7BA0C0000-0x00007FF7BA414000-memory.dmp	UPX
behavioral2/memory/4304-139-0x00007FF769610000-0x00007FF769964000-memory.dmp	UPX
behavioral2/memory/4896-140-0x00007FF71A670000-0x00007FF71A9C4000-memory.dmp	UPX
behavioral2/memory/1724-141-0x00007FF74D450000-0x00007FF74D7A4000-memory.dmp	UPX
behavioral2/memory/2168-142-0x00007FF724D50000-0x00007FF7250A4000-memory.dmp	UPX
behavioral2/memory/2100-143-0x00007FF744CE0000-0x00007FF745034000-memory.dmp	UPX
behavioral2/memory/1048-144-0x00007FF707550000-0x00007FF7078A4000-memory.dmp	UPX
behavioral2/memory/3852-145-0x00007FF654290000-0x00007FF6545E4000-memory.dmp	UPX
behavioral2/memory/2288-146-0x00007FF7AA000000-0x00007FF7AA354000-memory.dmp	UPX
behavioral2/memory/3972-147-0x00007FF6816D0000-0x00007FF681A24000-memory.dmp	UPX
behavioral2/memory/2272-148-0x00007FF68E340000-0x00007FF68E694000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3968-0-0x00007FF7F8ED0000-0x00007FF7F9224000-memory.dmp	xmrig
behavioral2/files/0x000b000000023214-4.dat	xmrig
behavioral2/memory/568-8-0x00007FF77B6D0000-0x00007FF77BA24000-memory.dmp	xmrig
behavioral2/files/0x000800000002323d-10.dat	xmrig
behavioral2/memory/4816-14-0x00007FF609790000-0x00007FF609AE4000-memory.dmp	xmrig
behavioral2/files/0x000800000002323b-11.dat	xmrig
behavioral2/files/0x000700000002323e-24.dat	xmrig
behavioral2/memory/3976-26-0x00007FF7BA0C0000-0x00007FF7BA414000-memory.dmp	xmrig
behavioral2/memory/1156-20-0x00007FF7AD1D0000-0x00007FF7AD524000-memory.dmp	xmrig
behavioral2/files/0x000700000002323f-28.dat	xmrig
behavioral2/memory/4304-30-0x00007FF769610000-0x00007FF769964000-memory.dmp	xmrig
behavioral2/files/0x0007000000023241-35.dat	xmrig
behavioral2/memory/4896-38-0x00007FF71A670000-0x00007FF71A9C4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023242-41.dat	xmrig
behavioral2/memory/1724-44-0x00007FF74D450000-0x00007FF74D7A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023243-46.dat	xmrig
behavioral2/memory/2168-50-0x00007FF724D50000-0x00007FF7250A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023245-54.dat	xmrig
behavioral2/memory/2100-56-0x00007FF744CE0000-0x00007FF745034000-memory.dmp	xmrig
behavioral2/files/0x0007000000023246-60.dat	xmrig
behavioral2/memory/3968-62-0x00007FF7F8ED0000-0x00007FF7F9224000-memory.dmp	xmrig
behavioral2/memory/1048-63-0x00007FF707550000-0x00007FF7078A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023247-65.dat	xmrig
behavioral2/memory/3852-69-0x00007FF654290000-0x00007FF6545E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023248-71.dat	xmrig
behavioral2/memory/4816-75-0x00007FF609790000-0x00007FF609AE4000-memory.dmp	xmrig
behavioral2/memory/2288-76-0x00007FF7AA000000-0x00007FF7AA354000-memory.dmp	xmrig
behavioral2/files/0x0007000000023249-80.dat	xmrig
behavioral2/memory/3972-82-0x00007FF6816D0000-0x00007FF681A24000-memory.dmp	xmrig
behavioral2/files/0x000700000002324a-85.dat	xmrig
behavioral2/memory/2272-88-0x00007FF68E340000-0x00007FF68E694000-memory.dmp	xmrig
behavioral2/files/0x000700000002324b-91.dat	xmrig
behavioral2/memory/4304-92-0x00007FF769610000-0x00007FF769964000-memory.dmp	xmrig
behavioral2/memory/1820-95-0x00007FF792F90000-0x00007FF7932E4000-memory.dmp	xmrig
behavioral2/files/0x000700000002324c-99.dat	xmrig
behavioral2/memory/1712-101-0x00007FF6FB580000-0x00007FF6FB8D4000-memory.dmp	xmrig
behavioral2/files/0x000700000002324d-104.dat	xmrig
behavioral2/memory/1724-105-0x00007FF74D450000-0x00007FF74D7A4000-memory.dmp	xmrig
behavioral2/memory/2252-106-0x00007FF68D060000-0x00007FF68D3B4000-memory.dmp	xmrig
behavioral2/files/0x000700000002324e-112.dat	xmrig
behavioral2/files/0x0007000000023250-116.dat	xmrig
behavioral2/memory/720-119-0x00007FF7F0EA0000-0x00007FF7F11F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023251-123.dat	xmrig
behavioral2/memory/2100-125-0x00007FF744CE0000-0x00007FF745034000-memory.dmp	xmrig
behavioral2/files/0x000200000001e32b-128.dat	xmrig
behavioral2/memory/3164-126-0x00007FF797BB0000-0x00007FF797F04000-memory.dmp	xmrig
behavioral2/memory/808-129-0x00007FF7EE720000-0x00007FF7EEA74000-memory.dmp	xmrig
behavioral2/memory/3888-132-0x00007FF69C9D0000-0x00007FF69CD24000-memory.dmp	xmrig
behavioral2/memory/1820-133-0x00007FF792F90000-0x00007FF7932E4000-memory.dmp	xmrig
behavioral2/memory/2252-134-0x00007FF68D060000-0x00007FF68D3B4000-memory.dmp	xmrig
behavioral2/memory/568-135-0x00007FF77B6D0000-0x00007FF77BA24000-memory.dmp	xmrig
behavioral2/memory/4816-136-0x00007FF609790000-0x00007FF609AE4000-memory.dmp	xmrig
behavioral2/memory/1156-137-0x00007FF7AD1D0000-0x00007FF7AD524000-memory.dmp	xmrig
behavioral2/memory/3976-138-0x00007FF7BA0C0000-0x00007FF7BA414000-memory.dmp	xmrig
behavioral2/memory/4304-139-0x00007FF769610000-0x00007FF769964000-memory.dmp	xmrig
behavioral2/memory/4896-140-0x00007FF71A670000-0x00007FF71A9C4000-memory.dmp	xmrig
behavioral2/memory/1724-141-0x00007FF74D450000-0x00007FF74D7A4000-memory.dmp	xmrig
behavioral2/memory/2168-142-0x00007FF724D50000-0x00007FF7250A4000-memory.dmp	xmrig
behavioral2/memory/2100-143-0x00007FF744CE0000-0x00007FF745034000-memory.dmp	xmrig
behavioral2/memory/1048-144-0x00007FF707550000-0x00007FF7078A4000-memory.dmp	xmrig
behavioral2/memory/3852-145-0x00007FF654290000-0x00007FF6545E4000-memory.dmp	xmrig
behavioral2/memory/2288-146-0x00007FF7AA000000-0x00007FF7AA354000-memory.dmp	xmrig
behavioral2/memory/3972-147-0x00007FF6816D0000-0x00007FF681A24000-memory.dmp	xmrig
behavioral2/memory/2272-148-0x00007FF68E340000-0x00007FF68E694000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
568	iteBdTu.exe
4816	cbnvyDm.exe
1156	ohqgkjI.exe
3976	usRDCKB.exe
4304	VjmDZMu.exe
4896	SypRTMC.exe
1724	KZoRZMV.exe
2168	KulFBjx.exe
2100	EyinMgV.exe
1048	wQCqRlf.exe
3852	VALnBQY.exe
2288	yaPSSzg.exe
3972	cTQzzZp.exe
2272	TOZNJEA.exe
1820	PSqGMCd.exe
1712	aNXqIkg.exe
2252	SFDUAWK.exe
720	XtiBqrP.exe
3164	OrRwZNp.exe
808	uDcdtWT.exe
3888	KMkyAEf.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3968-0-0x00007FF7F8ED0000-0x00007FF7F9224000-memory.dmp	upx
behavioral2/files/0x000b000000023214-4.dat	upx
behavioral2/memory/568-8-0x00007FF77B6D0000-0x00007FF77BA24000-memory.dmp	upx
behavioral2/files/0x000800000002323d-10.dat	upx
behavioral2/memory/4816-14-0x00007FF609790000-0x00007FF609AE4000-memory.dmp	upx
behavioral2/files/0x000800000002323b-11.dat	upx
behavioral2/files/0x000700000002323e-24.dat	upx
behavioral2/memory/3976-26-0x00007FF7BA0C0000-0x00007FF7BA414000-memory.dmp	upx
behavioral2/memory/1156-20-0x00007FF7AD1D0000-0x00007FF7AD524000-memory.dmp	upx
behavioral2/files/0x000700000002323f-28.dat	upx
behavioral2/memory/4304-30-0x00007FF769610000-0x00007FF769964000-memory.dmp	upx
behavioral2/files/0x0007000000023241-35.dat	upx
behavioral2/memory/4896-38-0x00007FF71A670000-0x00007FF71A9C4000-memory.dmp	upx
behavioral2/files/0x0007000000023242-41.dat	upx
behavioral2/memory/1724-44-0x00007FF74D450000-0x00007FF74D7A4000-memory.dmp	upx
behavioral2/files/0x0007000000023243-46.dat	upx
behavioral2/memory/2168-50-0x00007FF724D50000-0x00007FF7250A4000-memory.dmp	upx
behavioral2/files/0x0007000000023245-54.dat	upx
behavioral2/memory/2100-56-0x00007FF744CE0000-0x00007FF745034000-memory.dmp	upx
behavioral2/files/0x0007000000023246-60.dat	upx
behavioral2/memory/3968-62-0x00007FF7F8ED0000-0x00007FF7F9224000-memory.dmp	upx
behavioral2/memory/1048-63-0x00007FF707550000-0x00007FF7078A4000-memory.dmp	upx
behavioral2/files/0x0007000000023247-65.dat	upx
behavioral2/memory/3852-69-0x00007FF654290000-0x00007FF6545E4000-memory.dmp	upx
behavioral2/files/0x0007000000023248-71.dat	upx
behavioral2/memory/4816-75-0x00007FF609790000-0x00007FF609AE4000-memory.dmp	upx
behavioral2/memory/2288-76-0x00007FF7AA000000-0x00007FF7AA354000-memory.dmp	upx
behavioral2/files/0x0007000000023249-80.dat	upx
behavioral2/memory/3972-82-0x00007FF6816D0000-0x00007FF681A24000-memory.dmp	upx
behavioral2/files/0x000700000002324a-85.dat	upx
behavioral2/memory/2272-88-0x00007FF68E340000-0x00007FF68E694000-memory.dmp	upx
behavioral2/files/0x000700000002324b-91.dat	upx
behavioral2/memory/4304-92-0x00007FF769610000-0x00007FF769964000-memory.dmp	upx
behavioral2/memory/1820-95-0x00007FF792F90000-0x00007FF7932E4000-memory.dmp	upx
behavioral2/files/0x000700000002324c-99.dat	upx
behavioral2/memory/1712-101-0x00007FF6FB580000-0x00007FF6FB8D4000-memory.dmp	upx
behavioral2/files/0x000700000002324d-104.dat	upx
behavioral2/memory/1724-105-0x00007FF74D450000-0x00007FF74D7A4000-memory.dmp	upx
behavioral2/memory/2252-106-0x00007FF68D060000-0x00007FF68D3B4000-memory.dmp	upx
behavioral2/files/0x000700000002324e-112.dat	upx
behavioral2/files/0x0007000000023250-116.dat	upx
behavioral2/memory/720-119-0x00007FF7F0EA0000-0x00007FF7F11F4000-memory.dmp	upx
behavioral2/files/0x0007000000023251-123.dat	upx
behavioral2/memory/2100-125-0x00007FF744CE0000-0x00007FF745034000-memory.dmp	upx
behavioral2/files/0x000200000001e32b-128.dat	upx
behavioral2/memory/3164-126-0x00007FF797BB0000-0x00007FF797F04000-memory.dmp	upx
behavioral2/memory/808-129-0x00007FF7EE720000-0x00007FF7EEA74000-memory.dmp	upx
behavioral2/memory/3888-132-0x00007FF69C9D0000-0x00007FF69CD24000-memory.dmp	upx
behavioral2/memory/1820-133-0x00007FF792F90000-0x00007FF7932E4000-memory.dmp	upx
behavioral2/memory/2252-134-0x00007FF68D060000-0x00007FF68D3B4000-memory.dmp	upx
behavioral2/memory/568-135-0x00007FF77B6D0000-0x00007FF77BA24000-memory.dmp	upx
behavioral2/memory/4816-136-0x00007FF609790000-0x00007FF609AE4000-memory.dmp	upx
behavioral2/memory/1156-137-0x00007FF7AD1D0000-0x00007FF7AD524000-memory.dmp	upx
behavioral2/memory/3976-138-0x00007FF7BA0C0000-0x00007FF7BA414000-memory.dmp	upx
behavioral2/memory/4304-139-0x00007FF769610000-0x00007FF769964000-memory.dmp	upx
behavioral2/memory/4896-140-0x00007FF71A670000-0x00007FF71A9C4000-memory.dmp	upx
behavioral2/memory/1724-141-0x00007FF74D450000-0x00007FF74D7A4000-memory.dmp	upx
behavioral2/memory/2168-142-0x00007FF724D50000-0x00007FF7250A4000-memory.dmp	upx
behavioral2/memory/2100-143-0x00007FF744CE0000-0x00007FF745034000-memory.dmp	upx
behavioral2/memory/1048-144-0x00007FF707550000-0x00007FF7078A4000-memory.dmp	upx
behavioral2/memory/3852-145-0x00007FF654290000-0x00007FF6545E4000-memory.dmp	upx
behavioral2/memory/2288-146-0x00007FF7AA000000-0x00007FF7AA354000-memory.dmp	upx
behavioral2/memory/3972-147-0x00007FF6816D0000-0x00007FF681A24000-memory.dmp	upx
behavioral2/memory/2272-148-0x00007FF68E340000-0x00007FF68E694000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\yaPSSzg.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SFDUAWK.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cbnvyDm.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KulFBjx.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VALnBQY.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OrRwZNp.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KMkyAEf.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VjmDZMu.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cTQzzZp.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aNXqIkg.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wQCqRlf.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iteBdTu.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ohqgkjI.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SypRTMC.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TOZNJEA.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PSqGMCd.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XtiBqrP.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uDcdtWT.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\usRDCKB.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KZoRZMV.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EyinMgV.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3968 wrote to memory of 568	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	91
PID 3968 wrote to memory of 568	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	91
PID 3968 wrote to memory of 4816	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	92
PID 3968 wrote to memory of 4816	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	92
PID 3968 wrote to memory of 1156	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	93
PID 3968 wrote to memory of 1156	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	93
PID 3968 wrote to memory of 3976	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	94
PID 3968 wrote to memory of 3976	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	94
PID 3968 wrote to memory of 4304	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	95
PID 3968 wrote to memory of 4304	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	95
PID 3968 wrote to memory of 4896	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	96
PID 3968 wrote to memory of 4896	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	96
PID 3968 wrote to memory of 1724	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	97
PID 3968 wrote to memory of 1724	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	97
PID 3968 wrote to memory of 2168	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	98
PID 3968 wrote to memory of 2168	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	98
PID 3968 wrote to memory of 2100	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	99
PID 3968 wrote to memory of 2100	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	99
PID 3968 wrote to memory of 1048	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	100
PID 3968 wrote to memory of 1048	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	100
PID 3968 wrote to memory of 3852	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	101
PID 3968 wrote to memory of 3852	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	101
PID 3968 wrote to memory of 2288	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	102
PID 3968 wrote to memory of 2288	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	102
PID 3968 wrote to memory of 3972	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	103
PID 3968 wrote to memory of 3972	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	103
PID 3968 wrote to memory of 2272	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	104
PID 3968 wrote to memory of 2272	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	104
PID 3968 wrote to memory of 1820	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	105
PID 3968 wrote to memory of 1820	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	105
PID 3968 wrote to memory of 1712	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	106
PID 3968 wrote to memory of 1712	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	106
PID 3968 wrote to memory of 2252	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	107
PID 3968 wrote to memory of 2252	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	107
PID 3968 wrote to memory of 720	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	108
PID 3968 wrote to memory of 720	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	108
PID 3968 wrote to memory of 3164	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	109
PID 3968 wrote to memory of 3164	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	109
PID 3968 wrote to memory of 808	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	110
PID 3968 wrote to memory of 808	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	110
PID 3968 wrote to memory of 3888	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	111
PID 3968 wrote to memory of 3888	3968	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968
- C:\Windows\System\iteBdTu.exe
  C:\Windows\System\iteBdTu.exe
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Windows\System\cbnvyDm.exe
  C:\Windows\System\cbnvyDm.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\ohqgkjI.exe
  C:\Windows\System\ohqgkjI.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\usRDCKB.exe
  C:\Windows\System\usRDCKB.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\VjmDZMu.exe
  C:\Windows\System\VjmDZMu.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\SypRTMC.exe
  C:\Windows\System\SypRTMC.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\KZoRZMV.exe
  C:\Windows\System\KZoRZMV.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\KulFBjx.exe
  C:\Windows\System\KulFBjx.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\EyinMgV.exe
  C:\Windows\System\EyinMgV.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\wQCqRlf.exe
  C:\Windows\System\wQCqRlf.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System\VALnBQY.exe
  C:\Windows\System\VALnBQY.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System\yaPSSzg.exe
  C:\Windows\System\yaPSSzg.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\cTQzzZp.exe
  C:\Windows\System\cTQzzZp.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\TOZNJEA.exe
  C:\Windows\System\TOZNJEA.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\PSqGMCd.exe
  C:\Windows\System\PSqGMCd.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\aNXqIkg.exe
  C:\Windows\System\aNXqIkg.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\SFDUAWK.exe
  C:\Windows\System\SFDUAWK.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\XtiBqrP.exe
  C:\Windows\System\XtiBqrP.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System\OrRwZNp.exe
  C:\Windows\System\OrRwZNp.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\uDcdtWT.exe
  C:\Windows\System\uDcdtWT.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System\KMkyAEf.exe
  C:\Windows\System\KMkyAEf.exe
  2⤵
  - Executes dropped EXE
  PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:3604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EyinMgV.exe

Filesize
5.9MB

MD5
d80829410ea459dcd27aab8f0ced253e

SHA1
c108f15def59ab37a05bb2ee7dd92eef3a120d55

SHA256
a26e67d8988ef723c18dee1990e78045099239fb65b573fd6976dd2ccf4181a2

SHA512
cd86af995eca49908d97142cc90cd757cbf75465bd7726ed015058a49c63ace06fafbe6822f55771a24fc7e90d621dceb12f78cda460d5db0d203bd4c3e4bdf8

Download Submit
C:\Windows\System\KMkyAEf.exe

Filesize
5.9MB

MD5
e914153b8e5bd952f4100b0cee20daf1

SHA1
82f4dcbbc5e01bb8eb0f9248f180c445e9ce2c17

SHA256
e39f50d86514ee785eb9bb8f09d69aa38ee2dbbab27bf352e9eaf7d03f9158c9

SHA512
6d559e8ca8fee3a1da4dd7ae4ebe5091ec199a80449c71c98d176efdb420e89738b6e2844e3010b33b2df465b98488e179b7b8cf74a4629e29aab27b8bde109c

Download Submit
C:\Windows\System\KZoRZMV.exe

Filesize
5.9MB

MD5
8549c1f8bb9030037ed421a8a11d123c

SHA1
3e77f7dde38c8e2c4afd2b495fb6774fe82e0c92

SHA256
f9f03cf7314a5886578baf0f68a448de1f8900a719aafdccc05fbb11e0d35527

SHA512
f266b2555fb272053ec661f8d78958610d0df203c5078c6645db7bc79159a9be978f61c93bab2ea210508ef4c37fa437c3a0e31b876a8d0546b48984e12f56e0

Download Submit
C:\Windows\System\KulFBjx.exe

Filesize
5.9MB

MD5
56d6b34c6a7cad9ea0ff091dd7fcf564

SHA1
f2fac75f2d0417744e46d7f4bfbca7adb3df06a0

SHA256
90a0d9075d3f0c799ceb82f8b1518ce7fe4cd80e317f2850e814fa583eff4f92

SHA512
eb6fec2022221ed4b1244a41d68cd0214ecc4131c9cdb47f06cd900758fcf1c731b7399179211093bc81c8cdad2cc6c9617cf3e4b218be44ad70b036f03d1656

Download Submit
C:\Windows\System\OrRwZNp.exe

Filesize
5.9MB

MD5
9b03a48c6582400bd8eb298eed1f2f7a

SHA1
06cb231260ff66d82b58fdf8463850b10f544e92

SHA256
a024be6046d463beb020f3ff674fb476475e4398289b7ffc73679403c23ff641

SHA512
0aabb8be0a4f612dff5895795e3eb144b185c2a98ffe7b5890cdafe9cb9bf3cb4d107c2b087586e05f2134e5f0d6eb5731c7bc73821e518287cf14caa8575868

Download Submit
C:\Windows\System\PSqGMCd.exe

Filesize
5.9MB

MD5
9e9baf6ad28dc070a553de81f515777e

SHA1
3e41a8b29a73d1f0cd25e4f180071ed63303f30e

SHA256
72d13053643d962c2a3bc94241a55091bf5b0f338af920e0474f8c068fd09aa9

SHA512
2a1f965655752e81d226f3a2749dd0f5e1dc2ab75321d7d02da320ac03fdf94fec7c546b7aba9f56ca3c991111ca0510a88f5694c0e8a360bdbe3fa1f963716e

Download Submit
C:\Windows\System\SFDUAWK.exe

Filesize
5.9MB

MD5
a9e49b790d2982fb19083cc66dfea555

SHA1
a3c4beb36514073574baac57d70924a27a9b31e4

SHA256
29b9fa4f68ab63876d00171d2250792256ab7db570ae5541360fe3165a87b36c

SHA512
0e6f7776b6ed7c3e89eeecad3e347a949b512afb20744af46afa0840f4836ed99383d1aa634bd5d1973c7ab3ea31082661166ff8c7a1580227b0188efce07565

Download Submit
C:\Windows\System\SypRTMC.exe

Filesize
5.9MB

MD5
174fdd69497947ce943651210fb70876

SHA1
4278fe65d8c8eaa24ea55b2c568c2e307c5993eb

SHA256
7a85543751c6cc07e7e58e28e110415aae0e83d43d80b39ad6c3cc966df19acd

SHA512
144858f040767a1858bbbc6c0708ff144b88060db94a08207c0c27d1bc19bdaf70bc3e645b3f26372d075a0c29aa8fe3d83883518cf08825811d2fdffeb3894a

Download Submit
C:\Windows\System\TOZNJEA.exe

Filesize
5.9MB

MD5
dcb5c4431a8a630518291eaeb9a5d15b

SHA1
537efd4bdc6c886ce4d7b57a56a4aa7431b7332d

SHA256
1917b339d6131f8c01c32d912618ed20db3a52b22ed9448b112cc68a211fc07e

SHA512
2099009fc37b6ffd76dc4fc7146783354474fb879ea6d3e25b6aebfe3d053d6dc40668c49322f6c6b6a57e86a8c5d90186caadd4fd1a56f1deb2fef50e5ba69e

Download Submit
C:\Windows\System\VALnBQY.exe

Filesize
5.9MB

MD5
90847311802b399ee03ad14e7a8b1f2a

SHA1
6c253ee7f82791fc3ecad276a33d551cc0d7cd98

SHA256
436bf28dc93d9347162d8a80458eda321b90d1160587425b6d6ff98674224015

SHA512
9c7abe9076e22018036ee005286e605d0d43842071a1b84f8107996e89659c9b605e3d32e220819d35aa0cf52301257e0af68e0fa517e141af0eabc7a2e64e0c

Download Submit
C:\Windows\System\VjmDZMu.exe

Filesize
5.9MB

MD5
27e6fd8ac15a98e9a22b163757d2af1d

SHA1
e96f2619e90bdd45cbbdca321b544af88b67d0a8

SHA256
60bdb9c02befedf0988748ffc4f975273020b85d756ad420484b56ff3af99cc5

SHA512
62f58abe8285eea332214d98f75f27099e4736a95c8f05259d785efe65de2a3dfe9d8696183c7eca6989ffadd836b36bdbdc3fb53a2ef5538f23bcd07795bc9c

Download Submit
C:\Windows\System\XtiBqrP.exe

Filesize
5.9MB

MD5
4cef4789645cf70fcb742a78bafc24c4

SHA1
3c53ceae2fe0c478cfc5fd0f9497b1bc75f5ca8c

SHA256
f25b3108ad324fdf9d4a3d91f46d20c6217609eaabeb71484e7f61e733a4bdf1

SHA512
687dd5b2c867ec264d8d85d2590691c4c963a558dd7534316f5c5919c78af4e57415685fb4ed2377503b4b83f3f0f4c2781108b31bd1f495c821dfc233331d32

Download Submit
C:\Windows\System\aNXqIkg.exe

Filesize
5.9MB

MD5
722de5f50c937579b93160fe3eefe3a0

SHA1
d1580a9b801cfd74364dedc48d138da713a00614

SHA256
7186562fdba19bd16a4e9d565ced2ed373d3fa96559a8df9239756b5407f5703

SHA512
9351f15a948daddf74022caf833f13ea8fdca48e1257f8b688efe1735f00735a5c3510176435a85d20377897423a6505a84f1e4f8fad59f9b08dafdec554b207

Download Submit
C:\Windows\System\cTQzzZp.exe

Filesize
5.9MB

MD5
2c6ee5c607b89339a4154379ec52801a

SHA1
0de12e22f5f2c13afe84e0a2033a8407ab4b52a6

SHA256
caf7a3f5f73c1515be523e610dfcc2cb66ac4d89f782a55cabee098aa3e5d78b

SHA512
98cb21a0edb3e584e3a6a88fc104af0a5e584288923a350fc090f2a3b0abc7bbff4dc07596881b25ec93d6392b74c6e2628edf4c522922fcca3995f7f9d6dd1e

Download Submit
C:\Windows\System\cbnvyDm.exe

Filesize
5.9MB

MD5
ecc4041783455e973fcb984a9f7b3ecd

SHA1
c199169ddda528a7d8ba475678db4a60972efe96

SHA256
5896af29ec5ef3623c3917fc5222f75502fbc7001a9ec51aa86e8bd1c08fbcb0

SHA512
20b6241647c5d967f44393df323bf532232cb971f4284dec83add50466271fd9ff6e0daddb64a919d33985ffe03119b7c900c3ce46edfbd9b3261ee9e53129d6

Download Submit
C:\Windows\System\iteBdTu.exe

Filesize
5.9MB

MD5
4b55a6c818a9ee9b569bf83da2afb0d8

SHA1
96289dc9be1c853cd9e915513f51e389b552df2b

SHA256
915c6f9a14b9337d7b712deecb558970efae123f5f745630876cd4609b086f15

SHA512
3486df624257560c017661f09c6fbd748780b30780fa83f683cbe1be39fbeb3f6b0bd543e858e8dd094ce9d00409172776d365b056fa0f9de3777c47e0f514cf

Download Submit
C:\Windows\System\ohqgkjI.exe

Filesize
5.9MB

MD5
90589f6bebf8c6c82a7875d34d7619a1

SHA1
0a93c6458c4b2b4363e61199852310e32c167493

SHA256
823fffa894d39cc3f763705aa74a84431a6299f3bea01b7b93ff5194858446da

SHA512
5f71869a8243d8f3b1dec3b8881e0b0d8ea2b7a66268c8ef1fa86eea44b7fc2bf287f8f01a920ce034ced19b11ce270e5d80753bc1a7df9b98c8c07a71ecc00b

Download Submit
C:\Windows\System\uDcdtWT.exe

Filesize
5.9MB

MD5
2101be0f3812248d11da6ea5a9a8ddbb

SHA1
549bd80b158f08f1b6aa64a9b4eaebf14d37f0a8

SHA256
cca061e671d096922878554a3fd5b8d48e3506d8bd39b37267b97f21a81b206e

SHA512
7ba58ce952a9dec165542a3aee02dd42c8776f51c170def8153ae8240c700361535519a4fb56e00648c08cb9b9b3f3ce28a6208a32838b7da8db3ea20dd4a60d

Download Submit
C:\Windows\System\usRDCKB.exe

Filesize
5.9MB

MD5
e5d42fe9e6455a30331a5749e4523e1e

SHA1
4c78d62bc761219a91dab8010d28d1e16fcfac0a

SHA256
4d3e8274e4e14b4cc55cf9fd50749dbbe47beb89206c3e9f428a75e1cc6f741e

SHA512
ef6d53ed1b7fa8cf43b8e903cf4a281782b2d18157f464c5ecb7e6e5b7cc802d434b4b9c930b8eda66b63eb660ecf480e05a20339fce60576a813f3f99b93f27

Download Submit
C:\Windows\System\wQCqRlf.exe

Filesize
5.9MB

MD5
4d53d408e22bfbe92e341fdc3aa3ef30

SHA1
a4c8563591ebdb0d599fbb6f6d8ae7f01338fae2

SHA256
4d544072c11e4b6d65991e40b34f3502f856734471426618b9c4ad136b157d4e

SHA512
dfb3e690e2145e8e8a9ab244ddf54af40644bb748db0e0ef8aa290cbf54c316b1f59e00e304ef33a0f3e927d308e8cb696ef5b1846203ceb9642e2fb094c2f05

Download Submit
C:\Windows\System\yaPSSzg.exe

Filesize
5.9MB

MD5
f2bc97ec4439d4d60bcfdf1849a03651

SHA1
4d72467fe66fbb3756679acc6e31f26057f70514

SHA256
fa1b1ac85bb1232d0667a00b65e1599abaea81a7205d844f8f18b20a71e8ccae

SHA512
689d33b302847075c7614a0cf056f5d01849f031c2433c368669adaa7987ad2a704a7b9c33058e580f89bd0f173d274aa654492ae269e4598fd3096e5a2aaaeb

Download Submit
memory/568-135-0x00007FF77B6D0000-0x00007FF77BA24000-memory.dmp

Filesize
3.3MB

Download
memory/568-8-0x00007FF77B6D0000-0x00007FF77BA24000-memory.dmp

Filesize
3.3MB

Download
memory/720-152-0x00007FF7F0EA0000-0x00007FF7F11F4000-memory.dmp

Filesize
3.3MB

Download
memory/720-119-0x00007FF7F0EA0000-0x00007FF7F11F4000-memory.dmp

Filesize
3.3MB

Download
memory/808-154-0x00007FF7EE720000-0x00007FF7EEA74000-memory.dmp

Filesize
3.3MB

Download
memory/808-129-0x00007FF7EE720000-0x00007FF7EEA74000-memory.dmp

Filesize
3.3MB

Download
memory/1048-63-0x00007FF707550000-0x00007FF7078A4000-memory.dmp

Filesize
3.3MB

Download
memory/1048-144-0x00007FF707550000-0x00007FF7078A4000-memory.dmp

Filesize
3.3MB

Download
memory/1156-20-0x00007FF7AD1D0000-0x00007FF7AD524000-memory.dmp

Filesize
3.3MB

Download
memory/1156-137-0x00007FF7AD1D0000-0x00007FF7AD524000-memory.dmp

Filesize
3.3MB

Download
memory/1712-150-0x00007FF6FB580000-0x00007FF6FB8D4000-memory.dmp

Filesize
3.3MB

Download
memory/1712-101-0x00007FF6FB580000-0x00007FF6FB8D4000-memory.dmp

Filesize
3.3MB

Download
memory/1724-44-0x00007FF74D450000-0x00007FF74D7A4000-memory.dmp

Filesize
3.3MB

Download
memory/1724-141-0x00007FF74D450000-0x00007FF74D7A4000-memory.dmp

Filesize
3.3MB

Download
memory/1724-105-0x00007FF74D450000-0x00007FF74D7A4000-memory.dmp

Filesize
3.3MB

Download
memory/1820-149-0x00007FF792F90000-0x00007FF7932E4000-memory.dmp

Filesize
3.3MB

Download
memory/1820-95-0x00007FF792F90000-0x00007FF7932E4000-memory.dmp

Filesize
3.3MB

Download
memory/1820-133-0x00007FF792F90000-0x00007FF7932E4000-memory.dmp

Filesize
3.3MB

Download
memory/2100-56-0x00007FF744CE0000-0x00007FF745034000-memory.dmp

Filesize
3.3MB

Download
memory/2100-125-0x00007FF744CE0000-0x00007FF745034000-memory.dmp

Filesize
3.3MB

Download
memory/2100-143-0x00007FF744CE0000-0x00007FF745034000-memory.dmp

Filesize
3.3MB

Download
memory/2168-142-0x00007FF724D50000-0x00007FF7250A4000-memory.dmp

Filesize
3.3MB

Download
memory/2168-50-0x00007FF724D50000-0x00007FF7250A4000-memory.dmp

Filesize
3.3MB

Download
memory/2252-151-0x00007FF68D060000-0x00007FF68D3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2252-106-0x00007FF68D060000-0x00007FF68D3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2252-134-0x00007FF68D060000-0x00007FF68D3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-88-0x00007FF68E340000-0x00007FF68E694000-memory.dmp

Filesize
3.3MB

Download
memory/2272-148-0x00007FF68E340000-0x00007FF68E694000-memory.dmp

Filesize
3.3MB

Download
memory/2288-146-0x00007FF7AA000000-0x00007FF7AA354000-memory.dmp

Filesize
3.3MB

Download
memory/2288-76-0x00007FF7AA000000-0x00007FF7AA354000-memory.dmp

Filesize
3.3MB

Download
memory/3164-126-0x00007FF797BB0000-0x00007FF797F04000-memory.dmp

Filesize
3.3MB

Download
memory/3164-153-0x00007FF797BB0000-0x00007FF797F04000-memory.dmp

Filesize
3.3MB

Download
memory/3852-145-0x00007FF654290000-0x00007FF6545E4000-memory.dmp

Filesize
3.3MB

Download
memory/3852-69-0x00007FF654290000-0x00007FF6545E4000-memory.dmp

Filesize
3.3MB

Download
memory/3888-132-0x00007FF69C9D0000-0x00007FF69CD24000-memory.dmp

Filesize
3.3MB

Download
memory/3888-155-0x00007FF69C9D0000-0x00007FF69CD24000-memory.dmp

Filesize
3.3MB

Download
memory/3968-0-0x00007FF7F8ED0000-0x00007FF7F9224000-memory.dmp

Filesize
3.3MB

Download
memory/3968-1-0x000001E31E870000-0x000001E31E880000-memory.dmp

Filesize
64KB

Download
memory/3968-62-0x00007FF7F8ED0000-0x00007FF7F9224000-memory.dmp

Filesize
3.3MB

Download
memory/3972-82-0x00007FF6816D0000-0x00007FF681A24000-memory.dmp

Filesize
3.3MB

Download
memory/3972-147-0x00007FF6816D0000-0x00007FF681A24000-memory.dmp

Filesize
3.3MB

Download
memory/3976-138-0x00007FF7BA0C0000-0x00007FF7BA414000-memory.dmp

Filesize
3.3MB

Download
memory/3976-26-0x00007FF7BA0C0000-0x00007FF7BA414000-memory.dmp

Filesize
3.3MB

Download
memory/4304-139-0x00007FF769610000-0x00007FF769964000-memory.dmp

Filesize
3.3MB

Download
memory/4304-92-0x00007FF769610000-0x00007FF769964000-memory.dmp

Filesize
3.3MB

Download
memory/4304-30-0x00007FF769610000-0x00007FF769964000-memory.dmp

Filesize
3.3MB

Download
memory/4816-14-0x00007FF609790000-0x00007FF609AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4816-75-0x00007FF609790000-0x00007FF609AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4816-136-0x00007FF609790000-0x00007FF609AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4896-140-0x00007FF71A670000-0x00007FF71A9C4000-memory.dmp

Filesize
3.3MB

Download
memory/4896-38-0x00007FF71A670000-0x00007FF71A9C4000-memory.dmp

Filesize
3.3MB

Download