cobaltstrike | 533968da5f70b15825c3d38ac86568d335d754e3ebdfc6d22b3fdc90f72b8416

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2024, 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

012d7d7aba617660dc8fd939a0de7d65
SHA1

7edf54e4717d322538140882cc36ac9df4cc2d69
SHA256

533968da5f70b15825c3d38ac86568d335d754e3ebdfc6d22b3fdc90f72b8416
SHA512

6d9fda5603796731f96d1d7d27a18f4e9cdd461768a04148c2dc47aecee92f7e0d170bccad881fa505bc72263a7446a1761e31c454cf3a75d27e7db816ff8ba5
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUT:Q+856utgpPF8u/7T

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233ea-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f4-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f3-11.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f5-23.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f7-29.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f6-33.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f8-37.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f9-48.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fa-52.dat	cobalt_reflective_dll
behavioral2/files/0x000a0000000233eb-57.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fb-59.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fc-72.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fd-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023403-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023406-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023405-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023404-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023402-103.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023401-95.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023400-90.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ff-86.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233ea-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f4-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f3-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f5-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f7-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f6-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f8-37.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f9-48.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fa-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000a0000000233eb-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fb-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fc-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fd-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023403-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023406-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023405-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023404-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023402-103.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023401-95.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023400-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233ff-86.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1920-0-0x00007FF6F1480000-0x00007FF6F17D4000-memory.dmp	UPX
behavioral2/files/0x00090000000233ea-4.dat	UPX
behavioral2/memory/3980-8-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp	UPX
behavioral2/files/0x00070000000233f4-10.dat	UPX
behavioral2/files/0x00070000000233f3-11.dat	UPX
behavioral2/memory/2612-12-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp	UPX
behavioral2/memory/4452-20-0x00007FF7754D0000-0x00007FF775824000-memory.dmp	UPX
behavioral2/files/0x00070000000233f5-23.dat	UPX
behavioral2/memory/1832-24-0x00007FF706550000-0x00007FF7068A4000-memory.dmp	UPX
behavioral2/files/0x00070000000233f7-29.dat	UPX
behavioral2/files/0x00070000000233f6-33.dat	UPX
behavioral2/files/0x00070000000233f8-37.dat	UPX
behavioral2/files/0x00070000000233f9-48.dat	UPX
behavioral2/files/0x00070000000233fa-52.dat	UPX
behavioral2/files/0x000a0000000233eb-57.dat	UPX
behavioral2/files/0x00070000000233fb-59.dat	UPX
behavioral2/memory/3912-62-0x00007FF790CB0000-0x00007FF791004000-memory.dmp	UPX
behavioral2/files/0x00070000000233fc-72.dat	UPX
behavioral2/memory/3264-71-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp	UPX
behavioral2/files/0x00070000000233fd-81.dat	UPX
behavioral2/files/0x0007000000023403-100.dat	UPX
behavioral2/files/0x0007000000023406-117.dat	UPX
behavioral2/files/0x0007000000023405-115.dat	UPX
behavioral2/files/0x0007000000023404-112.dat	UPX
behavioral2/files/0x0007000000023402-103.dat	UPX
behavioral2/files/0x0007000000023401-95.dat	UPX
behavioral2/files/0x0007000000023400-90.dat	UPX
behavioral2/files/0x00070000000233ff-86.dat	UPX
behavioral2/memory/2140-68-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp	UPX
behavioral2/memory/1976-64-0x00007FF7376C0000-0x00007FF737A14000-memory.dmp	UPX
behavioral2/memory/1996-60-0x00007FF6BDF10000-0x00007FF6BE264000-memory.dmp	UPX
behavioral2/memory/2136-39-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp	UPX
behavioral2/memory/2948-36-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp	UPX
behavioral2/memory/2144-30-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp	UPX
behavioral2/memory/1920-119-0x00007FF6F1480000-0x00007FF6F17D4000-memory.dmp	UPX
behavioral2/memory/760-120-0x00007FF775400000-0x00007FF775754000-memory.dmp	UPX
behavioral2/memory/3600-123-0x00007FF642D10000-0x00007FF643064000-memory.dmp	UPX
behavioral2/memory/2172-124-0x00007FF7FCC90000-0x00007FF7FCFE4000-memory.dmp	UPX
behavioral2/memory/1592-125-0x00007FF680C80000-0x00007FF680FD4000-memory.dmp	UPX
behavioral2/memory/4188-122-0x00007FF60D320000-0x00007FF60D674000-memory.dmp	UPX
behavioral2/memory/1560-126-0x00007FF6609B0000-0x00007FF660D04000-memory.dmp	UPX
behavioral2/memory/3136-121-0x00007FF6BAF30000-0x00007FF6BB284000-memory.dmp	UPX
behavioral2/memory/3788-127-0x00007FF6DE990000-0x00007FF6DECE4000-memory.dmp	UPX
behavioral2/memory/2220-128-0x00007FF6CA7C0000-0x00007FF6CAB14000-memory.dmp	UPX
behavioral2/memory/3980-129-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp	UPX
behavioral2/memory/2612-130-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp	UPX
behavioral2/memory/1832-131-0x00007FF706550000-0x00007FF7068A4000-memory.dmp	UPX
behavioral2/memory/2144-132-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp	UPX
behavioral2/memory/2948-133-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp	UPX
behavioral2/memory/2136-134-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp	UPX
behavioral2/memory/2140-135-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp	UPX
behavioral2/memory/1976-136-0x00007FF7376C0000-0x00007FF737A14000-memory.dmp	UPX
behavioral2/memory/3264-137-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp	UPX
behavioral2/memory/3980-138-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp	UPX
behavioral2/memory/2612-139-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp	UPX
behavioral2/memory/4452-140-0x00007FF7754D0000-0x00007FF775824000-memory.dmp	UPX
behavioral2/memory/1832-141-0x00007FF706550000-0x00007FF7068A4000-memory.dmp	UPX
behavioral2/memory/2144-142-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp	UPX
behavioral2/memory/2136-143-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp	UPX
behavioral2/memory/2948-144-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp	UPX
behavioral2/memory/1996-145-0x00007FF6BDF10000-0x00007FF6BE264000-memory.dmp	UPX
behavioral2/memory/3912-146-0x00007FF790CB0000-0x00007FF791004000-memory.dmp	UPX
behavioral2/memory/2140-147-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp	UPX
behavioral2/memory/3264-148-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1920-0-0x00007FF6F1480000-0x00007FF6F17D4000-memory.dmp	xmrig
behavioral2/files/0x00090000000233ea-4.dat	xmrig
behavioral2/memory/3980-8-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f4-10.dat	xmrig
behavioral2/files/0x00070000000233f3-11.dat	xmrig
behavioral2/memory/2612-12-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp	xmrig
behavioral2/memory/4452-20-0x00007FF7754D0000-0x00007FF775824000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f5-23.dat	xmrig
behavioral2/memory/1832-24-0x00007FF706550000-0x00007FF7068A4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f7-29.dat	xmrig
behavioral2/files/0x00070000000233f6-33.dat	xmrig
behavioral2/files/0x00070000000233f8-37.dat	xmrig
behavioral2/files/0x00070000000233f9-48.dat	xmrig
behavioral2/files/0x00070000000233fa-52.dat	xmrig
behavioral2/files/0x000a0000000233eb-57.dat	xmrig
behavioral2/files/0x00070000000233fb-59.dat	xmrig
behavioral2/memory/3912-62-0x00007FF790CB0000-0x00007FF791004000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fc-72.dat	xmrig
behavioral2/memory/3264-71-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fd-81.dat	xmrig
behavioral2/files/0x0007000000023403-100.dat	xmrig
behavioral2/files/0x0007000000023406-117.dat	xmrig
behavioral2/files/0x0007000000023405-115.dat	xmrig
behavioral2/files/0x0007000000023404-112.dat	xmrig
behavioral2/files/0x0007000000023402-103.dat	xmrig
behavioral2/files/0x0007000000023401-95.dat	xmrig
behavioral2/files/0x0007000000023400-90.dat	xmrig
behavioral2/files/0x00070000000233ff-86.dat	xmrig
behavioral2/memory/2140-68-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp	xmrig
behavioral2/memory/1976-64-0x00007FF7376C0000-0x00007FF737A14000-memory.dmp	xmrig
behavioral2/memory/1996-60-0x00007FF6BDF10000-0x00007FF6BE264000-memory.dmp	xmrig
behavioral2/memory/2136-39-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp	xmrig
behavioral2/memory/2948-36-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp	xmrig
behavioral2/memory/2144-30-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp	xmrig
behavioral2/memory/1920-119-0x00007FF6F1480000-0x00007FF6F17D4000-memory.dmp	xmrig
behavioral2/memory/760-120-0x00007FF775400000-0x00007FF775754000-memory.dmp	xmrig
behavioral2/memory/3600-123-0x00007FF642D10000-0x00007FF643064000-memory.dmp	xmrig
behavioral2/memory/2172-124-0x00007FF7FCC90000-0x00007FF7FCFE4000-memory.dmp	xmrig
behavioral2/memory/1592-125-0x00007FF680C80000-0x00007FF680FD4000-memory.dmp	xmrig
behavioral2/memory/4188-122-0x00007FF60D320000-0x00007FF60D674000-memory.dmp	xmrig
behavioral2/memory/1560-126-0x00007FF6609B0000-0x00007FF660D04000-memory.dmp	xmrig
behavioral2/memory/3136-121-0x00007FF6BAF30000-0x00007FF6BB284000-memory.dmp	xmrig
behavioral2/memory/3788-127-0x00007FF6DE990000-0x00007FF6DECE4000-memory.dmp	xmrig
behavioral2/memory/2220-128-0x00007FF6CA7C0000-0x00007FF6CAB14000-memory.dmp	xmrig
behavioral2/memory/3980-129-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp	xmrig
behavioral2/memory/2612-130-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp	xmrig
behavioral2/memory/1832-131-0x00007FF706550000-0x00007FF7068A4000-memory.dmp	xmrig
behavioral2/memory/2144-132-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp	xmrig
behavioral2/memory/2948-133-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp	xmrig
behavioral2/memory/2136-134-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp	xmrig
behavioral2/memory/2140-135-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp	xmrig
behavioral2/memory/1976-136-0x00007FF7376C0000-0x00007FF737A14000-memory.dmp	xmrig
behavioral2/memory/3264-137-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp	xmrig
behavioral2/memory/3980-138-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp	xmrig
behavioral2/memory/2612-139-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp	xmrig
behavioral2/memory/4452-140-0x00007FF7754D0000-0x00007FF775824000-memory.dmp	xmrig
behavioral2/memory/1832-141-0x00007FF706550000-0x00007FF7068A4000-memory.dmp	xmrig
behavioral2/memory/2144-142-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp	xmrig
behavioral2/memory/2136-143-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp	xmrig
behavioral2/memory/2948-144-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp	xmrig
behavioral2/memory/1996-145-0x00007FF6BDF10000-0x00007FF6BE264000-memory.dmp	xmrig
behavioral2/memory/3912-146-0x00007FF790CB0000-0x00007FF791004000-memory.dmp	xmrig
behavioral2/memory/2140-147-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp	xmrig
behavioral2/memory/3264-148-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3980	xIUttia.exe
2612	iXyRZeq.exe
4452	OMegZrA.exe
1832	EkArEbC.exe
2144	BmNilDb.exe
2948	iwVjgGD.exe
2136	hqmFTep.exe
1996	atEjRrl.exe
3912	aSpRErZ.exe
1976	SbDVbyL.exe
2140	PtaeGtp.exe
3264	qiEpzmB.exe
760	lsIuKlo.exe
3136	hzroJTS.exe
4188	HpKpTlJ.exe
3600	PSKFIfM.exe
2172	wVNGavI.exe
1592	CBxtNQT.exe
1560	rsZMTQQ.exe
3788	xkLJurx.exe
2220	GzBpVvt.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1920-0-0x00007FF6F1480000-0x00007FF6F17D4000-memory.dmp	upx
behavioral2/files/0x00090000000233ea-4.dat	upx
behavioral2/memory/3980-8-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp	upx
behavioral2/files/0x00070000000233f4-10.dat	upx
behavioral2/files/0x00070000000233f3-11.dat	upx
behavioral2/memory/2612-12-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp	upx
behavioral2/memory/4452-20-0x00007FF7754D0000-0x00007FF775824000-memory.dmp	upx
behavioral2/files/0x00070000000233f5-23.dat	upx
behavioral2/memory/1832-24-0x00007FF706550000-0x00007FF7068A4000-memory.dmp	upx
behavioral2/files/0x00070000000233f7-29.dat	upx
behavioral2/files/0x00070000000233f6-33.dat	upx
behavioral2/files/0x00070000000233f8-37.dat	upx
behavioral2/files/0x00070000000233f9-48.dat	upx
behavioral2/files/0x00070000000233fa-52.dat	upx
behavioral2/files/0x000a0000000233eb-57.dat	upx
behavioral2/files/0x00070000000233fb-59.dat	upx
behavioral2/memory/3912-62-0x00007FF790CB0000-0x00007FF791004000-memory.dmp	upx
behavioral2/files/0x00070000000233fc-72.dat	upx
behavioral2/memory/3264-71-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp	upx
behavioral2/files/0x00070000000233fd-81.dat	upx
behavioral2/files/0x0007000000023403-100.dat	upx
behavioral2/files/0x0007000000023406-117.dat	upx
behavioral2/files/0x0007000000023405-115.dat	upx
behavioral2/files/0x0007000000023404-112.dat	upx
behavioral2/files/0x0007000000023402-103.dat	upx
behavioral2/files/0x0007000000023401-95.dat	upx
behavioral2/files/0x0007000000023400-90.dat	upx
behavioral2/files/0x00070000000233ff-86.dat	upx
behavioral2/memory/2140-68-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp	upx
behavioral2/memory/1976-64-0x00007FF7376C0000-0x00007FF737A14000-memory.dmp	upx
behavioral2/memory/1996-60-0x00007FF6BDF10000-0x00007FF6BE264000-memory.dmp	upx
behavioral2/memory/2136-39-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp	upx
behavioral2/memory/2948-36-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp	upx
behavioral2/memory/2144-30-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp	upx
behavioral2/memory/1920-119-0x00007FF6F1480000-0x00007FF6F17D4000-memory.dmp	upx
behavioral2/memory/760-120-0x00007FF775400000-0x00007FF775754000-memory.dmp	upx
behavioral2/memory/3600-123-0x00007FF642D10000-0x00007FF643064000-memory.dmp	upx
behavioral2/memory/2172-124-0x00007FF7FCC90000-0x00007FF7FCFE4000-memory.dmp	upx
behavioral2/memory/1592-125-0x00007FF680C80000-0x00007FF680FD4000-memory.dmp	upx
behavioral2/memory/4188-122-0x00007FF60D320000-0x00007FF60D674000-memory.dmp	upx
behavioral2/memory/1560-126-0x00007FF6609B0000-0x00007FF660D04000-memory.dmp	upx
behavioral2/memory/3136-121-0x00007FF6BAF30000-0x00007FF6BB284000-memory.dmp	upx
behavioral2/memory/3788-127-0x00007FF6DE990000-0x00007FF6DECE4000-memory.dmp	upx
behavioral2/memory/2220-128-0x00007FF6CA7C0000-0x00007FF6CAB14000-memory.dmp	upx
behavioral2/memory/3980-129-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp	upx
behavioral2/memory/2612-130-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp	upx
behavioral2/memory/1832-131-0x00007FF706550000-0x00007FF7068A4000-memory.dmp	upx
behavioral2/memory/2144-132-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp	upx
behavioral2/memory/2948-133-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp	upx
behavioral2/memory/2136-134-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp	upx
behavioral2/memory/2140-135-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp	upx
behavioral2/memory/1976-136-0x00007FF7376C0000-0x00007FF737A14000-memory.dmp	upx
behavioral2/memory/3264-137-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp	upx
behavioral2/memory/3980-138-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp	upx
behavioral2/memory/2612-139-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp	upx
behavioral2/memory/4452-140-0x00007FF7754D0000-0x00007FF775824000-memory.dmp	upx
behavioral2/memory/1832-141-0x00007FF706550000-0x00007FF7068A4000-memory.dmp	upx
behavioral2/memory/2144-142-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp	upx
behavioral2/memory/2136-143-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp	upx
behavioral2/memory/2948-144-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp	upx
behavioral2/memory/1996-145-0x00007FF6BDF10000-0x00007FF6BE264000-memory.dmp	upx
behavioral2/memory/3912-146-0x00007FF790CB0000-0x00007FF791004000-memory.dmp	upx
behavioral2/memory/2140-147-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp	upx
behavioral2/memory/3264-148-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\BmNilDb.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aSpRErZ.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qiEpzmB.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rsZMTQQ.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hzroJTS.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xIUttia.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iXyRZeq.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EkArEbC.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SbDVbyL.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PtaeGtp.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lsIuKlo.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OMegZrA.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iwVjgGD.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hqmFTep.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HpKpTlJ.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wVNGavI.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xkLJurx.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\atEjRrl.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PSKFIfM.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CBxtNQT.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GzBpVvt.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 3980	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	83
PID 1920 wrote to memory of 3980	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	83
PID 1920 wrote to memory of 2612	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	85
PID 1920 wrote to memory of 2612	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	85
PID 1920 wrote to memory of 4452	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	86
PID 1920 wrote to memory of 4452	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	86
PID 1920 wrote to memory of 1832	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	87
PID 1920 wrote to memory of 1832	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	87
PID 1920 wrote to memory of 2948	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	88
PID 1920 wrote to memory of 2948	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	88
PID 1920 wrote to memory of 2144	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	89
PID 1920 wrote to memory of 2144	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	89
PID 1920 wrote to memory of 2136	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	90
PID 1920 wrote to memory of 2136	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	90
PID 1920 wrote to memory of 1996	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	91
PID 1920 wrote to memory of 1996	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	91
PID 1920 wrote to memory of 3912	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	92
PID 1920 wrote to memory of 3912	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	92
PID 1920 wrote to memory of 1976	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	93
PID 1920 wrote to memory of 1976	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	93
PID 1920 wrote to memory of 2140	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	94
PID 1920 wrote to memory of 2140	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	94
PID 1920 wrote to memory of 3264	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	95
PID 1920 wrote to memory of 3264	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	95
PID 1920 wrote to memory of 760	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	96
PID 1920 wrote to memory of 760	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	96
PID 1920 wrote to memory of 3136	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	97
PID 1920 wrote to memory of 3136	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	97
PID 1920 wrote to memory of 4188	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	98
PID 1920 wrote to memory of 4188	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	98
PID 1920 wrote to memory of 3600	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	99
PID 1920 wrote to memory of 3600	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	99
PID 1920 wrote to memory of 2172	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	100
PID 1920 wrote to memory of 2172	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	100
PID 1920 wrote to memory of 1592	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	101
PID 1920 wrote to memory of 1592	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	101
PID 1920 wrote to memory of 1560	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	102
PID 1920 wrote to memory of 1560	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	102
PID 1920 wrote to memory of 3788	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	103
PID 1920 wrote to memory of 3788	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	103
PID 1920 wrote to memory of 2220	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	104
PID 1920 wrote to memory of 2220	1920	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\System\xIUttia.exe
  C:\Windows\System\xIUttia.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\iXyRZeq.exe
  C:\Windows\System\iXyRZeq.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\OMegZrA.exe
  C:\Windows\System\OMegZrA.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\EkArEbC.exe
  C:\Windows\System\EkArEbC.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\iwVjgGD.exe
  C:\Windows\System\iwVjgGD.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\BmNilDb.exe
  C:\Windows\System\BmNilDb.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\hqmFTep.exe
  C:\Windows\System\hqmFTep.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System\atEjRrl.exe
  C:\Windows\System\atEjRrl.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\aSpRErZ.exe
  C:\Windows\System\aSpRErZ.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System\SbDVbyL.exe
  C:\Windows\System\SbDVbyL.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\PtaeGtp.exe
  C:\Windows\System\PtaeGtp.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\qiEpzmB.exe
  C:\Windows\System\qiEpzmB.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\lsIuKlo.exe
  C:\Windows\System\lsIuKlo.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System\hzroJTS.exe
  C:\Windows\System\hzroJTS.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\HpKpTlJ.exe
  C:\Windows\System\HpKpTlJ.exe
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\System\PSKFIfM.exe
  C:\Windows\System\PSKFIfM.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\System\wVNGavI.exe
  C:\Windows\System\wVNGavI.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\CBxtNQT.exe
  C:\Windows\System\CBxtNQT.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System\rsZMTQQ.exe
  C:\Windows\System\rsZMTQQ.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\xkLJurx.exe
  C:\Windows\System\xkLJurx.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System\GzBpVvt.exe
  C:\Windows\System\GzBpVvt.exe
  2⤵
  - Executes dropped EXE
  PID:2220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BmNilDb.exe

Filesize
5.9MB

MD5
076d6d7c34d78cfa42c351c6aa5bdf0a

SHA1
044af3e8604e91738eb2cd8354446e041d9c854b

SHA256
c5fcf08c8e5986fd951ac5d6f1919b178d53c3679bc62e32469bbe3881fd2965

SHA512
be7c5cd4ad9438a3455bcbeb40470b8794519838dd07db35d86dc8360dcfee0e713c3ffaa90e0e3fcb770ed689c3257fbf677bb03568734a1c5b1d60b64d1d3f

Download Submit
C:\Windows\System\CBxtNQT.exe

Filesize
5.9MB

MD5
e06730c8a600ab7aa915e9975e600a7b

SHA1
b15b3e64a25fe283c8c0959665c948e05694aaf9

SHA256
4c76ef9292a970dee241182402102457e26ca1ae7d60825dce1ee2a5b31ce584

SHA512
8260537b9e7ac43ec39fd0cfd40cf8ee4cdf048f7963927d413586b0a5191774668f30ef0242bc52e724015c2672c753ce8ff7648f6c6e8721180e2cf8c09874

Download Submit
C:\Windows\System\EkArEbC.exe

Filesize
5.9MB

MD5
6acdb7f94dd7a35d392ffec3a4e773c3

SHA1
da28ded8d12a97b56b93292a78e5c8adfeb940f8

SHA256
3f3b239882ee88da34b691d762588437598ef6b055529a8da31ff69f3164704a

SHA512
5d44d22d39968eff68901dc28d451959b91d4bcc791f742ee229a0a2e9f8b09de784fdbd2e2937fe2e6ad7f33c090156d9d624546d0a72bc61a2050ec3dc193a

Download Submit
C:\Windows\System\GzBpVvt.exe

Filesize
5.9MB

MD5
173a4d0df9e365310a2f2f232c34afe4

SHA1
4301c6add570b5a6ae80b876cc1a838364705b2c

SHA256
b178805e8b4ee5ecb12b6ac655d46d538494d1149934b2ab599e7d140330f829

SHA512
dc80b2cba61b8ff6a25bc3899b8e1f8630373534e97afc2f795cee178180d5762f76ca3e22f744f6023e53dba2b06d56cc4b7e0b198eecd9d56c6d7d3bf2593a

Download Submit
C:\Windows\System\HpKpTlJ.exe

Filesize
5.9MB

MD5
82cb98afec5ddbf7866e220748323b26

SHA1
0052626241510dada42a446fdfb8ee81825cdc7b

SHA256
9ef5d0deea73bdf3aa72ab953727bbacdd763ae2a9315e539c6716894de5e855

SHA512
682ca2f3b89777d90a74e32d8cfd7b62f7f7851eb32fafc7d173bdec9e652dbd01fb311ec26ce61ec23e391d160854b7a5e4c763cf0bc637419aa9e39faae3ca

Download Submit
C:\Windows\System\OMegZrA.exe

Filesize
5.9MB

MD5
0b19319807c8f302fff7624796b1aa0f

SHA1
3d8a1f0f3f34bd03baeac3cd584dbf9b18cef349

SHA256
be8009faa4467007e048c6fc7693d7a0648bd9f1b1209eea9fabd490a45f7b86

SHA512
9a919c687dfe283ae218a5d984663788d54f85cdf7ac034b79126e3ec40a24524f3b8ae11b459e70b7eb2351a4c8aeaedf2e9c9e1ac00c1362810a715025d23b

Download Submit
C:\Windows\System\PSKFIfM.exe

Filesize
5.9MB

MD5
e3a60e0aebb2ccde299c1760f6e79f92

SHA1
bf62c7d1665ad22bb0cace14a7ac9cb55035bb2b

SHA256
29a2ff4a3be94cdfdc79f86470828bc55efb649fc7198495e6a5737a0897af52

SHA512
d7ed48073ad567326b6f48a90d929ac852254680233660cfdd5af0723d6ae72ace2a965d6fc03b3a2a9f3eb4274f7371f22f68c9f6196160d6c49f1e2cb4c5bb

Download Submit
C:\Windows\System\PtaeGtp.exe

Filesize
5.9MB

MD5
bc951d066d7e8f95d61adffd30336c33

SHA1
36782bf83a3fd9575ce65fc5c3fe06588a2737a4

SHA256
cba3968228a17274f45f2577aa87ce372b12fda31ed47eafe7b47b8cd8fe9cd1

SHA512
d643a879fecdaaf735398e372e806c8e6244b2b3de8e4ee895b11afbb62fe5ffd2e332c07a08a6dbfa2f167f5728a7cb38c9871c62491bd4917237eeac86dc01

Download Submit
C:\Windows\System\SbDVbyL.exe

Filesize
5.9MB

MD5
ea243355682d00abaa75aa5faee76428

SHA1
2ce35d89a7515429990400e84c970c33c5002e6c

SHA256
d6b2f340d8eccd57fa9d68e86ad580863e98c7e566e77d1a1e960f3d89fb2052

SHA512
6569ad89f52da3931119cf80b911528fb57fea8e2f7afcf8adc6c67227655d045ac5529b66863a3bb6ccf074afff9450b97102c1883e19ccf30238ced9e61f44

Download Submit
C:\Windows\System\aSpRErZ.exe

Filesize
5.9MB

MD5
a25f03c5ca806657f204038e66c6faf0

SHA1
424b9d1c673888c3a9d3edb4bac2ca26312cf0a7

SHA256
777bf7fdad74b5487995d69136f04073e859a0efb17eaa70f5723761df49bcdf

SHA512
044bfffc3cff2e3cfefd42df605294bd33f7ee07f759635b9334df6419ee896f15982c20b4672a59de3c7d0a9eebf003406edcb1833d88c6ef5a7978406e4414

Download Submit
C:\Windows\System\atEjRrl.exe

Filesize
5.9MB

MD5
fbdab45f2c133e9cf4527033966f6591

SHA1
21c02928ccf114ebcef118882cecf6518286e393

SHA256
b37df4e22fa8c2915840d7f101a1c75f4e56e4eb1f53e4859b47f91197e963ea

SHA512
52541dfcd3efd0d3c13d6cfd85f047def6158576f53eef0e58364a787b97f226e2c30d52bd409ce3b876173bd08818b52c27955bd28d915710d4379aa78f1ff1

Download Submit
C:\Windows\System\hqmFTep.exe

Filesize
5.9MB

MD5
add223615610735f034e7b872db43230

SHA1
0b01f2618702020a614d5d5d6e2a193f75fcaee5

SHA256
dbc4990a617b6220792c4248837520cb70099724d013ae28b0160d87301d209d

SHA512
3caedcbfce6a7d06338d339351be3711b537940443006352c253c46db5f4e146a9c702ec339e4d77c0054439b6f7e4f0bfd5a7356f4a6a249ead0d337f9e15a2

Download Submit
C:\Windows\System\hzroJTS.exe

Filesize
5.9MB

MD5
feb30dc6597f3cb193f7d3e94b853a02

SHA1
f884be67c293357db477c2352d25dd3f9aedb3d5

SHA256
d5d60c4bb2406a9326dcbf3bcc84a96edd372ba76d722d7832d8137c8ccfdfae

SHA512
8d0d7be84024cf9630a075e3fc5c0c7372d7d36812f4611ea73c21f99c99b5961bfa6d6eac16b070cf84f3cbed94b57947f27b93c80f47af994e113e2e6e81de

Download Submit
C:\Windows\System\iXyRZeq.exe

Filesize
5.9MB

MD5
bd5652bea0be3209dafd1c0b22ddf9b1

SHA1
ae0bcf70fb4717d4fedd04e209da426cf575a6ba

SHA256
bda287214cf31f94c63abef3b62b81da6a132ea6a43f5e29aa35c6033d06fe86

SHA512
65ff9451ada555ddb2e7aedc2b14fc4404052049402b7f232078ad85541715a3b46de096e66e6ca078f87ad58b913d2f86e48377d327bc92771be7a5d68dfa85

Download Submit
C:\Windows\System\iwVjgGD.exe

Filesize
5.9MB

MD5
247d69728a81c5b36ffd3638fa17dc34

SHA1
ef6b982b1137176448c64d0a74a9cddfc571ecf8

SHA256
5d94deb6bf7e26a0816d4e3bc3a5320331c9d6511cc3f341cfbf00716f93f0b2

SHA512
9ae7c53d2111c1c8bcbe6f522fb70d04f1b920b53caadaf08667b2614524ae0e781a42e36b55959c2e7cb4b1981ba1ff762bc42e0f325b14370bb791162a56aa

Download Submit
C:\Windows\System\lsIuKlo.exe

Filesize
5.9MB

MD5
a683e2890d3d8dc385360c5ead12c5de

SHA1
9106d5ff524ba0cb89f2160a3387eeaaa2dde4b8

SHA256
9a4423f9584fb7e64cc4db5ee51ad9e4a9cce3c0d7a096a64cc662acbd7c55e6

SHA512
f1f7504d6f69420d9e68b212d1d6b5f49002cab12c5595ca2b350d6097a1ab086005a1e0bd64c570a14cbc12c439a04fc4c52a63f06008d32dd92596fb00cc3e

Download Submit
C:\Windows\System\qiEpzmB.exe

Filesize
5.9MB

MD5
ec2cdac2d28aac477b92f59cfda95f8a

SHA1
d2e0980b7c603dd0e302744c8b4b23224882a4c8

SHA256
1e23d2cc5c9b29fe28e60b3da1e6e0a8f051d405557bc13518ba78b16fa1f872

SHA512
785714f79f08efe90e8a9467788141db4e8280a10951cadac3615255f9875c08aeb59f22853b7dd9b08a6bdceb06b79babb7aa086d58a6e4abaa7106fdd1c885

Download Submit
C:\Windows\System\rsZMTQQ.exe

Filesize
5.9MB

MD5
a42ae5c26492287bf9244335554e18d9

SHA1
d7088eb21c7c2858dbe2d23272cfddd288370bf6

SHA256
a51c2b5682da955f11d5a38eb4cea43948121dd2472b0ac52bc71e5fb177263b

SHA512
b97d6aefb228056b147377f08aa4bb0aa4acf8b9f353d57c29963cebf83734801a0087485f8f936f9dce08df357a87b3d726439b160a5ba96975287282cae847

Download Submit
C:\Windows\System\wVNGavI.exe

Filesize
5.9MB

MD5
221f66433ed60584cc07a7daa1d537ab

SHA1
8ea0cae839add18a33a884a8cfa50dbbc29eb1d9

SHA256
3fb70b186cd0d79c978470641bdcb67b2594566c850684c3ea464c5f8e0818a6

SHA512
087747290829f21a8e9527c239045c25c79297d0765093d5ffae18fc67a313bfe244c71c6f74d4260627df3ecf397123da98990b7d8c4540f84df4d24b66cd68

Download Submit
C:\Windows\System\xIUttia.exe

Filesize
5.9MB

MD5
15971c3a967e8175aba8f4fc79a53f8b

SHA1
52295ffb22935781547d01b1e8dd37c661ab0c87

SHA256
e50f3e6c8cb686460a57dbc94f8a2f729b6b5acbb6e063cfdfc615c63c9624cd

SHA512
a9eb7aa1c5b998fdac8c031e039041c3f1200322af1a41c69bd310032c70e9df083b9f7742e61d018c4941668b93d89ef36e5e40b873dc02cce8c361ccc771f8

Download Submit
C:\Windows\System\xkLJurx.exe

Filesize
5.9MB

MD5
2bac9d52ad7378bce41051af48afb70d

SHA1
576487c580ec2b9c826e28527f87fcc0713acd40

SHA256
413908d0076fcf04189df16092e07bf0fe9e0aa1d70ba653921dec312720933b

SHA512
3c800d8a5e28137ae7bc854b698af75ddce4f7d668401e22f2266797274d88541f6f921db4179dd2a4cd5d544af13e87e6cf87aa5b524009fe7f0cfe1a40e43e

Download Submit
memory/760-150-0x00007FF775400000-0x00007FF775754000-memory.dmp

Filesize
3.3MB

Download
memory/760-120-0x00007FF775400000-0x00007FF775754000-memory.dmp

Filesize
3.3MB

Download
memory/1560-157-0x00007FF6609B0000-0x00007FF660D04000-memory.dmp

Filesize
3.3MB

Download
memory/1560-126-0x00007FF6609B0000-0x00007FF660D04000-memory.dmp

Filesize
3.3MB

Download
memory/1592-155-0x00007FF680C80000-0x00007FF680FD4000-memory.dmp

Filesize
3.3MB

Download
memory/1592-125-0x00007FF680C80000-0x00007FF680FD4000-memory.dmp

Filesize
3.3MB

Download
memory/1832-131-0x00007FF706550000-0x00007FF7068A4000-memory.dmp

Filesize
3.3MB

Download
memory/1832-141-0x00007FF706550000-0x00007FF7068A4000-memory.dmp

Filesize
3.3MB

Download
memory/1832-24-0x00007FF706550000-0x00007FF7068A4000-memory.dmp

Filesize
3.3MB

Download
memory/1920-119-0x00007FF6F1480000-0x00007FF6F17D4000-memory.dmp

Filesize
3.3MB

Download
memory/1920-1-0x000001E6F3940000-0x000001E6F3950000-memory.dmp

Filesize
64KB

Download
memory/1920-0-0x00007FF6F1480000-0x00007FF6F17D4000-memory.dmp

Filesize
3.3MB

Download
memory/1976-136-0x00007FF7376C0000-0x00007FF737A14000-memory.dmp

Filesize
3.3MB

Download
memory/1976-64-0x00007FF7376C0000-0x00007FF737A14000-memory.dmp

Filesize
3.3MB

Download
memory/1976-149-0x00007FF7376C0000-0x00007FF737A14000-memory.dmp

Filesize
3.3MB

Download
memory/1996-145-0x00007FF6BDF10000-0x00007FF6BE264000-memory.dmp

Filesize
3.3MB

Download
memory/1996-60-0x00007FF6BDF10000-0x00007FF6BE264000-memory.dmp

Filesize
3.3MB

Download
memory/2136-134-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp

Filesize
3.3MB

Download
memory/2136-143-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp

Filesize
3.3MB

Download
memory/2136-39-0x00007FF6FD090000-0x00007FF6FD3E4000-memory.dmp

Filesize
3.3MB

Download
memory/2140-147-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp

Filesize
3.3MB

Download
memory/2140-135-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp

Filesize
3.3MB

Download
memory/2140-68-0x00007FF7D9440000-0x00007FF7D9794000-memory.dmp

Filesize
3.3MB

Download
memory/2144-142-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp

Filesize
3.3MB

Download
memory/2144-30-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp

Filesize
3.3MB

Download
memory/2144-132-0x00007FF6AEFC0000-0x00007FF6AF314000-memory.dmp

Filesize
3.3MB

Download
memory/2172-124-0x00007FF7FCC90000-0x00007FF7FCFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2172-154-0x00007FF7FCC90000-0x00007FF7FCFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2220-158-0x00007FF6CA7C0000-0x00007FF6CAB14000-memory.dmp

Filesize
3.3MB

Download
memory/2220-128-0x00007FF6CA7C0000-0x00007FF6CAB14000-memory.dmp

Filesize
3.3MB

Download
memory/2612-139-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp

Filesize
3.3MB

Download
memory/2612-130-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp

Filesize
3.3MB

Download
memory/2612-12-0x00007FF6E0CB0000-0x00007FF6E1004000-memory.dmp

Filesize
3.3MB

Download
memory/2948-133-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp

Filesize
3.3MB

Download
memory/2948-36-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp

Filesize
3.3MB

Download
memory/2948-144-0x00007FF7AE9D0000-0x00007FF7AED24000-memory.dmp

Filesize
3.3MB

Download
memory/3136-121-0x00007FF6BAF30000-0x00007FF6BB284000-memory.dmp

Filesize
3.3MB

Download
memory/3136-151-0x00007FF6BAF30000-0x00007FF6BB284000-memory.dmp

Filesize
3.3MB

Download
memory/3264-71-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp

Filesize
3.3MB

Download
memory/3264-137-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp

Filesize
3.3MB

Download
memory/3264-148-0x00007FF7FC6D0000-0x00007FF7FCA24000-memory.dmp

Filesize
3.3MB

Download
memory/3600-153-0x00007FF642D10000-0x00007FF643064000-memory.dmp

Filesize
3.3MB

Download
memory/3600-123-0x00007FF642D10000-0x00007FF643064000-memory.dmp

Filesize
3.3MB

Download
memory/3788-127-0x00007FF6DE990000-0x00007FF6DECE4000-memory.dmp

Filesize
3.3MB

Download
memory/3788-156-0x00007FF6DE990000-0x00007FF6DECE4000-memory.dmp

Filesize
3.3MB

Download
memory/3912-146-0x00007FF790CB0000-0x00007FF791004000-memory.dmp

Filesize
3.3MB

Download
memory/3912-62-0x00007FF790CB0000-0x00007FF791004000-memory.dmp

Filesize
3.3MB

Download
memory/3980-138-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp

Filesize
3.3MB

Download
memory/3980-129-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp

Filesize
3.3MB

Download
memory/3980-8-0x00007FF66AB60000-0x00007FF66AEB4000-memory.dmp

Filesize
3.3MB

Download
memory/4188-122-0x00007FF60D320000-0x00007FF60D674000-memory.dmp

Filesize
3.3MB

Download
memory/4188-152-0x00007FF60D320000-0x00007FF60D674000-memory.dmp

Filesize
3.3MB

Download
memory/4452-140-0x00007FF7754D0000-0x00007FF775824000-memory.dmp

Filesize
3.3MB

Download
memory/4452-20-0x00007FF7754D0000-0x00007FF775824000-memory.dmp

Filesize
3.3MB

Download