cobaltstrike | 0cea98aa56189ccc85bdb3a252b6adbe7556a6f600499826e67b487be2e1c2f1

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

6559d04b9bf2fafd9a442c8d2142a22a
SHA1

f565c01f71a5af87e138a93462f53d842c4180de
SHA256

0cea98aa56189ccc85bdb3a252b6adbe7556a6f600499826e67b487be2e1c2f1
SHA512

0ae4afcb4404fa40917fa2ffd67ab0277e5dd5607a52671d0092f790487af7211fc5516eae375fdf597a5006b151a7f2973048b6f844a58b0a8ad1665864dc6c
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUm:T+856utgpPF8u/7m

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0005000000022f40-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-28.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023413-12.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341a-36.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023414-41.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341b-46.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341d-53.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341e-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023420-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023422-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023421-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023424-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023423-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023425-98.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023426-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023428-116.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342a-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023429-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-108.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0005000000022f40-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023417-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023419-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023418-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023413-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341a-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023414-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341b-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341d-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341e-61.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023420-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023422-76.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023421-77.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023424-87.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023423-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023425-98.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023426-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023428-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342a-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023429-126.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023427-108.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3252-0-0x00007FF68E600000-0x00007FF68E954000-memory.dmp	UPX
behavioral2/files/0x0005000000022f40-4.dat	UPX
behavioral2/files/0x0007000000023417-9.dat	UPX
behavioral2/memory/456-11-0x00007FF6946A0000-0x00007FF6949F4000-memory.dmp	UPX
behavioral2/memory/1868-14-0x00007FF7BA650000-0x00007FF7BA9A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023419-24.dat	UPX
behavioral2/files/0x0007000000023418-28.dat	UPX
behavioral2/memory/4416-22-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp	UPX
behavioral2/files/0x0008000000023413-12.dat	UPX
behavioral2/memory/4860-31-0x00007FF7A0AC0000-0x00007FF7A0E14000-memory.dmp	UPX
behavioral2/memory/1532-32-0x00007FF60A3B0000-0x00007FF60A704000-memory.dmp	UPX
behavioral2/files/0x000700000002341a-36.dat	UPX
behavioral2/files/0x0008000000023414-41.dat	UPX
behavioral2/memory/2268-43-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp	UPX
behavioral2/memory/60-38-0x00007FF7A57C0000-0x00007FF7A5B14000-memory.dmp	UPX
behavioral2/files/0x000700000002341b-46.dat	UPX
behavioral2/files/0x000700000002341d-53.dat	UPX
behavioral2/memory/4300-50-0x00007FF7A37A0000-0x00007FF7A3AF4000-memory.dmp	UPX
behavioral2/memory/3556-58-0x00007FF664C20000-0x00007FF664F74000-memory.dmp	UPX
behavioral2/memory/2156-60-0x00007FF726D10000-0x00007FF727064000-memory.dmp	UPX
behavioral2/files/0x000700000002341e-61.dat	UPX
behavioral2/files/0x0007000000023420-65.dat	UPX
behavioral2/memory/3252-67-0x00007FF68E600000-0x00007FF68E954000-memory.dmp	UPX
behavioral2/files/0x0007000000023422-76.dat	UPX
behavioral2/files/0x0007000000023421-77.dat	UPX
behavioral2/files/0x0007000000023424-87.dat	UPX
behavioral2/memory/620-88-0x00007FF7F0460000-0x00007FF7F07B4000-memory.dmp	UPX
behavioral2/memory/4416-90-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp	UPX
behavioral2/memory/3652-92-0x00007FF7980D0000-0x00007FF798424000-memory.dmp	UPX
behavioral2/files/0x0007000000023423-91.dat	UPX
behavioral2/memory/3376-89-0x00007FF6756F0000-0x00007FF675A44000-memory.dmp	UPX
behavioral2/memory/1868-82-0x00007FF7BA650000-0x00007FF7BA9A4000-memory.dmp	UPX
behavioral2/memory/756-75-0x00007FF734490000-0x00007FF7347E4000-memory.dmp	UPX
behavioral2/memory/4532-71-0x00007FF6BFC60000-0x00007FF6BFFB4000-memory.dmp	UPX
behavioral2/files/0x0007000000023425-98.dat	UPX
behavioral2/memory/3300-102-0x00007FF7211F0000-0x00007FF721544000-memory.dmp	UPX
behavioral2/files/0x0007000000023426-101.dat	UPX
behavioral2/memory/2268-111-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp	UPX
behavioral2/files/0x0007000000023428-116.dat	UPX
behavioral2/files/0x000700000002342a-125.dat	UPX
behavioral2/files/0x0007000000023429-126.dat	UPX
behavioral2/memory/2512-127-0x00007FF622FA0000-0x00007FF6232F4000-memory.dmp	UPX
behavioral2/memory/4808-123-0x00007FF788C70000-0x00007FF788FC4000-memory.dmp	UPX
behavioral2/memory/2956-119-0x00007FF7B8DB0000-0x00007FF7B9104000-memory.dmp	UPX
behavioral2/memory/3104-110-0x00007FF7296A0000-0x00007FF7299F4000-memory.dmp	UPX
behavioral2/files/0x0007000000023427-108.dat	UPX
behavioral2/memory/3832-131-0x00007FF6D20D0000-0x00007FF6D2424000-memory.dmp	UPX
behavioral2/memory/2156-132-0x00007FF726D10000-0x00007FF727064000-memory.dmp	UPX
behavioral2/memory/4532-133-0x00007FF6BFC60000-0x00007FF6BFFB4000-memory.dmp	UPX
behavioral2/memory/756-134-0x00007FF734490000-0x00007FF7347E4000-memory.dmp	UPX
behavioral2/memory/3376-135-0x00007FF6756F0000-0x00007FF675A44000-memory.dmp	UPX
behavioral2/memory/3652-136-0x00007FF7980D0000-0x00007FF798424000-memory.dmp	UPX
behavioral2/memory/3300-137-0x00007FF7211F0000-0x00007FF721544000-memory.dmp	UPX
behavioral2/memory/3104-138-0x00007FF7296A0000-0x00007FF7299F4000-memory.dmp	UPX
behavioral2/memory/4808-139-0x00007FF788C70000-0x00007FF788FC4000-memory.dmp	UPX
behavioral2/memory/2512-140-0x00007FF622FA0000-0x00007FF6232F4000-memory.dmp	UPX
behavioral2/memory/3832-141-0x00007FF6D20D0000-0x00007FF6D2424000-memory.dmp	UPX
behavioral2/memory/456-142-0x00007FF6946A0000-0x00007FF6949F4000-memory.dmp	UPX
behavioral2/memory/1868-143-0x00007FF7BA650000-0x00007FF7BA9A4000-memory.dmp	UPX
behavioral2/memory/4416-144-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp	UPX
behavioral2/memory/4860-145-0x00007FF7A0AC0000-0x00007FF7A0E14000-memory.dmp	UPX
behavioral2/memory/1532-146-0x00007FF60A3B0000-0x00007FF60A704000-memory.dmp	UPX
behavioral2/memory/60-147-0x00007FF7A57C0000-0x00007FF7A5B14000-memory.dmp	UPX
behavioral2/memory/2268-148-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3252-0-0x00007FF68E600000-0x00007FF68E954000-memory.dmp	xmrig
behavioral2/files/0x0005000000022f40-4.dat	xmrig
behavioral2/files/0x0007000000023417-9.dat	xmrig
behavioral2/memory/456-11-0x00007FF6946A0000-0x00007FF6949F4000-memory.dmp	xmrig
behavioral2/memory/1868-14-0x00007FF7BA650000-0x00007FF7BA9A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023419-24.dat	xmrig
behavioral2/files/0x0007000000023418-28.dat	xmrig
behavioral2/memory/4416-22-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023413-12.dat	xmrig
behavioral2/memory/4860-31-0x00007FF7A0AC0000-0x00007FF7A0E14000-memory.dmp	xmrig
behavioral2/memory/1532-32-0x00007FF60A3B0000-0x00007FF60A704000-memory.dmp	xmrig
behavioral2/files/0x000700000002341a-36.dat	xmrig
behavioral2/files/0x0008000000023414-41.dat	xmrig
behavioral2/memory/2268-43-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp	xmrig
behavioral2/memory/60-38-0x00007FF7A57C0000-0x00007FF7A5B14000-memory.dmp	xmrig
behavioral2/files/0x000700000002341b-46.dat	xmrig
behavioral2/files/0x000700000002341d-53.dat	xmrig
behavioral2/memory/4300-50-0x00007FF7A37A0000-0x00007FF7A3AF4000-memory.dmp	xmrig
behavioral2/memory/3556-58-0x00007FF664C20000-0x00007FF664F74000-memory.dmp	xmrig
behavioral2/memory/2156-60-0x00007FF726D10000-0x00007FF727064000-memory.dmp	xmrig
behavioral2/files/0x000700000002341e-61.dat	xmrig
behavioral2/files/0x0007000000023420-65.dat	xmrig
behavioral2/memory/3252-67-0x00007FF68E600000-0x00007FF68E954000-memory.dmp	xmrig
behavioral2/files/0x0007000000023422-76.dat	xmrig
behavioral2/files/0x0007000000023421-77.dat	xmrig
behavioral2/files/0x0007000000023424-87.dat	xmrig
behavioral2/memory/620-88-0x00007FF7F0460000-0x00007FF7F07B4000-memory.dmp	xmrig
behavioral2/memory/4416-90-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp	xmrig
behavioral2/memory/3652-92-0x00007FF7980D0000-0x00007FF798424000-memory.dmp	xmrig
behavioral2/files/0x0007000000023423-91.dat	xmrig
behavioral2/memory/3376-89-0x00007FF6756F0000-0x00007FF675A44000-memory.dmp	xmrig
behavioral2/memory/1868-82-0x00007FF7BA650000-0x00007FF7BA9A4000-memory.dmp	xmrig
behavioral2/memory/756-75-0x00007FF734490000-0x00007FF7347E4000-memory.dmp	xmrig
behavioral2/memory/4532-71-0x00007FF6BFC60000-0x00007FF6BFFB4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023425-98.dat	xmrig
behavioral2/memory/3300-102-0x00007FF7211F0000-0x00007FF721544000-memory.dmp	xmrig
behavioral2/files/0x0007000000023426-101.dat	xmrig
behavioral2/memory/2268-111-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023428-116.dat	xmrig
behavioral2/files/0x000700000002342a-125.dat	xmrig
behavioral2/files/0x0007000000023429-126.dat	xmrig
behavioral2/memory/2512-127-0x00007FF622FA0000-0x00007FF6232F4000-memory.dmp	xmrig
behavioral2/memory/4808-123-0x00007FF788C70000-0x00007FF788FC4000-memory.dmp	xmrig
behavioral2/memory/2956-119-0x00007FF7B8DB0000-0x00007FF7B9104000-memory.dmp	xmrig
behavioral2/memory/3104-110-0x00007FF7296A0000-0x00007FF7299F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023427-108.dat	xmrig
behavioral2/memory/3832-131-0x00007FF6D20D0000-0x00007FF6D2424000-memory.dmp	xmrig
behavioral2/memory/2156-132-0x00007FF726D10000-0x00007FF727064000-memory.dmp	xmrig
behavioral2/memory/4532-133-0x00007FF6BFC60000-0x00007FF6BFFB4000-memory.dmp	xmrig
behavioral2/memory/756-134-0x00007FF734490000-0x00007FF7347E4000-memory.dmp	xmrig
behavioral2/memory/3376-135-0x00007FF6756F0000-0x00007FF675A44000-memory.dmp	xmrig
behavioral2/memory/3652-136-0x00007FF7980D0000-0x00007FF798424000-memory.dmp	xmrig
behavioral2/memory/3300-137-0x00007FF7211F0000-0x00007FF721544000-memory.dmp	xmrig
behavioral2/memory/3104-138-0x00007FF7296A0000-0x00007FF7299F4000-memory.dmp	xmrig
behavioral2/memory/4808-139-0x00007FF788C70000-0x00007FF788FC4000-memory.dmp	xmrig
behavioral2/memory/2512-140-0x00007FF622FA0000-0x00007FF6232F4000-memory.dmp	xmrig
behavioral2/memory/3832-141-0x00007FF6D20D0000-0x00007FF6D2424000-memory.dmp	xmrig
behavioral2/memory/456-142-0x00007FF6946A0000-0x00007FF6949F4000-memory.dmp	xmrig
behavioral2/memory/1868-143-0x00007FF7BA650000-0x00007FF7BA9A4000-memory.dmp	xmrig
behavioral2/memory/4416-144-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp	xmrig
behavioral2/memory/4860-145-0x00007FF7A0AC0000-0x00007FF7A0E14000-memory.dmp	xmrig
behavioral2/memory/1532-146-0x00007FF60A3B0000-0x00007FF60A704000-memory.dmp	xmrig
behavioral2/memory/60-147-0x00007FF7A57C0000-0x00007FF7A5B14000-memory.dmp	xmrig
behavioral2/memory/2268-148-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
456	LgFBwOH.exe
1868	mzcFpdW.exe
4416	VqUwOPm.exe
4860	naSugWV.exe
1532	UoymQvN.exe
60	AERFLpo.exe
2268	GAegadB.exe
4300	TjdQsfh.exe
3556	TZFwKts.exe
2156	AMHEBvB.exe
4532	ksiyeng.exe
756	mPOVKxd.exe
620	BQhdkHG.exe
3652	ZmcGoDL.exe
3376	ntzEHNA.exe
3300	xqmMMRL.exe
3104	kjtTqNe.exe
2956	XwnyyYC.exe
4808	evlfstM.exe
2512	SExPrfv.exe
3832	fanqKkp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3252-0-0x00007FF68E600000-0x00007FF68E954000-memory.dmp	upx
behavioral2/files/0x0005000000022f40-4.dat	upx
behavioral2/files/0x0007000000023417-9.dat	upx
behavioral2/memory/456-11-0x00007FF6946A0000-0x00007FF6949F4000-memory.dmp	upx
behavioral2/memory/1868-14-0x00007FF7BA650000-0x00007FF7BA9A4000-memory.dmp	upx
behavioral2/files/0x0007000000023419-24.dat	upx
behavioral2/files/0x0007000000023418-28.dat	upx
behavioral2/memory/4416-22-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp	upx
behavioral2/files/0x0008000000023413-12.dat	upx
behavioral2/memory/4860-31-0x00007FF7A0AC0000-0x00007FF7A0E14000-memory.dmp	upx
behavioral2/memory/1532-32-0x00007FF60A3B0000-0x00007FF60A704000-memory.dmp	upx
behavioral2/files/0x000700000002341a-36.dat	upx
behavioral2/files/0x0008000000023414-41.dat	upx
behavioral2/memory/2268-43-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp	upx
behavioral2/memory/60-38-0x00007FF7A57C0000-0x00007FF7A5B14000-memory.dmp	upx
behavioral2/files/0x000700000002341b-46.dat	upx
behavioral2/files/0x000700000002341d-53.dat	upx
behavioral2/memory/4300-50-0x00007FF7A37A0000-0x00007FF7A3AF4000-memory.dmp	upx
behavioral2/memory/3556-58-0x00007FF664C20000-0x00007FF664F74000-memory.dmp	upx
behavioral2/memory/2156-60-0x00007FF726D10000-0x00007FF727064000-memory.dmp	upx
behavioral2/files/0x000700000002341e-61.dat	upx
behavioral2/files/0x0007000000023420-65.dat	upx
behavioral2/memory/3252-67-0x00007FF68E600000-0x00007FF68E954000-memory.dmp	upx
behavioral2/files/0x0007000000023422-76.dat	upx
behavioral2/files/0x0007000000023421-77.dat	upx
behavioral2/files/0x0007000000023424-87.dat	upx
behavioral2/memory/620-88-0x00007FF7F0460000-0x00007FF7F07B4000-memory.dmp	upx
behavioral2/memory/4416-90-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp	upx
behavioral2/memory/3652-92-0x00007FF7980D0000-0x00007FF798424000-memory.dmp	upx
behavioral2/files/0x0007000000023423-91.dat	upx
behavioral2/memory/3376-89-0x00007FF6756F0000-0x00007FF675A44000-memory.dmp	upx
behavioral2/memory/1868-82-0x00007FF7BA650000-0x00007FF7BA9A4000-memory.dmp	upx
behavioral2/memory/756-75-0x00007FF734490000-0x00007FF7347E4000-memory.dmp	upx
behavioral2/memory/4532-71-0x00007FF6BFC60000-0x00007FF6BFFB4000-memory.dmp	upx
behavioral2/files/0x0007000000023425-98.dat	upx
behavioral2/memory/3300-102-0x00007FF7211F0000-0x00007FF721544000-memory.dmp	upx
behavioral2/files/0x0007000000023426-101.dat	upx
behavioral2/memory/2268-111-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp	upx
behavioral2/files/0x0007000000023428-116.dat	upx
behavioral2/files/0x000700000002342a-125.dat	upx
behavioral2/files/0x0007000000023429-126.dat	upx
behavioral2/memory/2512-127-0x00007FF622FA0000-0x00007FF6232F4000-memory.dmp	upx
behavioral2/memory/4808-123-0x00007FF788C70000-0x00007FF788FC4000-memory.dmp	upx
behavioral2/memory/2956-119-0x00007FF7B8DB0000-0x00007FF7B9104000-memory.dmp	upx
behavioral2/memory/3104-110-0x00007FF7296A0000-0x00007FF7299F4000-memory.dmp	upx
behavioral2/files/0x0007000000023427-108.dat	upx
behavioral2/memory/3832-131-0x00007FF6D20D0000-0x00007FF6D2424000-memory.dmp	upx
behavioral2/memory/2156-132-0x00007FF726D10000-0x00007FF727064000-memory.dmp	upx
behavioral2/memory/4532-133-0x00007FF6BFC60000-0x00007FF6BFFB4000-memory.dmp	upx
behavioral2/memory/756-134-0x00007FF734490000-0x00007FF7347E4000-memory.dmp	upx
behavioral2/memory/3376-135-0x00007FF6756F0000-0x00007FF675A44000-memory.dmp	upx
behavioral2/memory/3652-136-0x00007FF7980D0000-0x00007FF798424000-memory.dmp	upx
behavioral2/memory/3300-137-0x00007FF7211F0000-0x00007FF721544000-memory.dmp	upx
behavioral2/memory/3104-138-0x00007FF7296A0000-0x00007FF7299F4000-memory.dmp	upx
behavioral2/memory/4808-139-0x00007FF788C70000-0x00007FF788FC4000-memory.dmp	upx
behavioral2/memory/2512-140-0x00007FF622FA0000-0x00007FF6232F4000-memory.dmp	upx
behavioral2/memory/3832-141-0x00007FF6D20D0000-0x00007FF6D2424000-memory.dmp	upx
behavioral2/memory/456-142-0x00007FF6946A0000-0x00007FF6949F4000-memory.dmp	upx
behavioral2/memory/1868-143-0x00007FF7BA650000-0x00007FF7BA9A4000-memory.dmp	upx
behavioral2/memory/4416-144-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp	upx
behavioral2/memory/4860-145-0x00007FF7A0AC0000-0x00007FF7A0E14000-memory.dmp	upx
behavioral2/memory/1532-146-0x00007FF60A3B0000-0x00007FF60A704000-memory.dmp	upx
behavioral2/memory/60-147-0x00007FF7A57C0000-0x00007FF7A5B14000-memory.dmp	upx
behavioral2/memory/2268-148-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ksiyeng.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZmcGoDL.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VqUwOPm.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\naSugWV.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AERFLpo.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AMHEBvB.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mPOVKxd.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ntzEHNA.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SExPrfv.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LgFBwOH.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GAegadB.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TZFwKts.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BQhdkHG.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xqmMMRL.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kjtTqNe.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XwnyyYC.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fanqKkp.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mzcFpdW.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UoymQvN.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TjdQsfh.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\evlfstM.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 456	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	82
PID 3252 wrote to memory of 456	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	82
PID 3252 wrote to memory of 1868	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	83
PID 3252 wrote to memory of 1868	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	83
PID 3252 wrote to memory of 4416	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	84
PID 3252 wrote to memory of 4416	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	84
PID 3252 wrote to memory of 1532	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	85
PID 3252 wrote to memory of 1532	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	85
PID 3252 wrote to memory of 4860	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	86
PID 3252 wrote to memory of 4860	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	86
PID 3252 wrote to memory of 60	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	87
PID 3252 wrote to memory of 60	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	87
PID 3252 wrote to memory of 2268	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	88
PID 3252 wrote to memory of 2268	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	88
PID 3252 wrote to memory of 4300	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	89
PID 3252 wrote to memory of 4300	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	89
PID 3252 wrote to memory of 3556	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	90
PID 3252 wrote to memory of 3556	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	90
PID 3252 wrote to memory of 2156	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	91
PID 3252 wrote to memory of 2156	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	91
PID 3252 wrote to memory of 4532	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	92
PID 3252 wrote to memory of 4532	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	92
PID 3252 wrote to memory of 756	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	93
PID 3252 wrote to memory of 756	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	93
PID 3252 wrote to memory of 620	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	94
PID 3252 wrote to memory of 620	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	94
PID 3252 wrote to memory of 3652	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	95
PID 3252 wrote to memory of 3652	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	95
PID 3252 wrote to memory of 3376	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	96
PID 3252 wrote to memory of 3376	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	96
PID 3252 wrote to memory of 3300	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	97
PID 3252 wrote to memory of 3300	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	97
PID 3252 wrote to memory of 3104	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	98
PID 3252 wrote to memory of 3104	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	98
PID 3252 wrote to memory of 2956	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	99
PID 3252 wrote to memory of 2956	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	99
PID 3252 wrote to memory of 4808	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	100
PID 3252 wrote to memory of 4808	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	100
PID 3252 wrote to memory of 2512	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	101
PID 3252 wrote to memory of 2512	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	101
PID 3252 wrote to memory of 3832	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	102
PID 3252 wrote to memory of 3832	3252	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	102

C:\Users\Admin\AppData\Local\Temp\2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\System\LgFBwOH.exe
  C:\Windows\System\LgFBwOH.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System\mzcFpdW.exe
  C:\Windows\System\mzcFpdW.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System\VqUwOPm.exe
  C:\Windows\System\VqUwOPm.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\UoymQvN.exe
  C:\Windows\System\UoymQvN.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\naSugWV.exe
  C:\Windows\System\naSugWV.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\AERFLpo.exe
  C:\Windows\System\AERFLpo.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\GAegadB.exe
  C:\Windows\System\GAegadB.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\TjdQsfh.exe
  C:\Windows\System\TjdQsfh.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\TZFwKts.exe
  C:\Windows\System\TZFwKts.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System\AMHEBvB.exe
  C:\Windows\System\AMHEBvB.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\ksiyeng.exe
  C:\Windows\System\ksiyeng.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\mPOVKxd.exe
  C:\Windows\System\mPOVKxd.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\BQhdkHG.exe
  C:\Windows\System\BQhdkHG.exe
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\System\ZmcGoDL.exe
  C:\Windows\System\ZmcGoDL.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\ntzEHNA.exe
  C:\Windows\System\ntzEHNA.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System\xqmMMRL.exe
  C:\Windows\System\xqmMMRL.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System\kjtTqNe.exe
  C:\Windows\System\kjtTqNe.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\XwnyyYC.exe
  C:\Windows\System\XwnyyYC.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\evlfstM.exe
  C:\Windows\System\evlfstM.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\SExPrfv.exe
  C:\Windows\System\SExPrfv.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\fanqKkp.exe
  C:\Windows\System\fanqKkp.exe
  2⤵
  - Executes dropped EXE
  PID:3832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AERFLpo.exe

Filesize
5.9MB

MD5
b573acf69a45499a8379e4deb57ec037

SHA1
d641071785d39ca2e855aa8b360308f0450b3a07

SHA256
18cdb689173925e335ae7318b4043f914cbbc6b6119f4bb755f38b73ddd45184

SHA512
a67eeb124831613607ef52026fd8a703fd2efc012319f362a21ceb871e2f50cdce210e1aed4b7b4345c7ae61828e94ef54b89ee56c20ea43363bf54a6a9e7d38

Download Submit
C:\Windows\System\AMHEBvB.exe

Filesize
5.9MB

MD5
91b9a04f20633ee4c670a65cac351210

SHA1
56bf1d01e829f72a0a4e725799b2144795ebc92f

SHA256
c8e97f4445e174eb45255344e71aa7c6353bb843e1839091dfe03f5026925ae3

SHA512
5ba38c2b8ba1f734ed8762b75f2ca0bde7cfdb78863195a277d809abc21725935f460c1f7cc450aff90b4457c759664bfeb53c5e0231990e69aafc2319990db1

Download Submit
C:\Windows\System\BQhdkHG.exe

Filesize
5.9MB

MD5
7d6e4eb156d4c071150d3d4063c3f453

SHA1
52f1ceb6932217820eca479d9ccdc2b60c8f0a1e

SHA256
0c27c20bcbb01bfc2ff90c07494e0b5b640afb6624353f55bdfa2d01a091a563

SHA512
8f9261747914f091201ffed4b868fb51a242734e7f306896253e5423b97b27881af1b13eca611a2c050ebd7e42a09a0ee854785ae73b15c964c500e77cbd7297

Download Submit
C:\Windows\System\GAegadB.exe

Filesize
5.9MB

MD5
d14005388976391c503c8c52a42f90df

SHA1
cf482d30ed0b52fcf342d15c5d83d6fb0ef6d780

SHA256
e1f56d5e2241abbc6e22f9d069b614ce4a9a5549cf9891c7d44de4be45c842cd

SHA512
7b5f3df11bb6d9d40380ce17810c7e99cea35410eedeeceabdd1b9cfcf5e6af0a53a84e66452299e3f8526dc624fb1215f4036a4ecba8eef7f14946b3d73b16b

Download Submit
C:\Windows\System\LgFBwOH.exe

Filesize
5.9MB

MD5
b968938180e4ebc4e41be39f1fb6020a

SHA1
52ea593f81b1fffb9fbe548056c8adaad539a690

SHA256
47ba80abe416e03fb319fdbbfb0167d8d87b5de17cd18ea7d1781ec0e9d6b3a9

SHA512
5ae5405977c066ee97074ddc05bfd12da2ab7f6a22cd9c7dd3d8b686ee78dffae1dd64113fdef4a67a6d02388e294022c04262b37a00028f1afa4cd8296838df

Download Submit
C:\Windows\System\SExPrfv.exe

Filesize
5.9MB

MD5
10bcc8dc12684bd1a165d6178db521b3

SHA1
0168eabdbeb4c06fe81bc258a53f734f68aaf152

SHA256
17e9f683c299b79fe8827faa9c3938579d5e440416139a150ed77e23c4b98913

SHA512
30b97eaefe3e76c2750825f800af6c35720f1ef705988e5b56ae2e44274d9f73cc90c02301fb8f333b1a41726c2dd1c7858b9b17c55da7d79f9ae8cb648929f8

Download Submit
C:\Windows\System\TZFwKts.exe

Filesize
5.9MB

MD5
621a7287fd519834f1d6e37477b6c247

SHA1
dd7f71f9dc7f718059f8bad8dc7ebe394746c2e1

SHA256
f6b4bf0c0a0510ae88e641f145ae579bb03554d5dc6d3d99d8082a49a6c28dbc

SHA512
4e5fb2514cb84d12f52d010e2a2c4204c67fcc10288a812d84bdc8bd5164fa4a751bec40bcaafc7369b79f4ef381c07d1b46562eff78dd73ac6f2fb99bf71b17

Download Submit
C:\Windows\System\TjdQsfh.exe

Filesize
5.9MB

MD5
0b66f03c0c9cd71bb04edf666b5a4949

SHA1
caf0adceae3a3b42e50f997af79343ef86ce9482

SHA256
ccd83fd17970bb9a2e4a9f55724e2897b14399c613ee99595a3c85abef5df239

SHA512
f93f80a84db32425f8126a415e9d49147c2cbeeca48de83b36d6ed44f974a28f57a450b65b98f538820414253fe85a2d7d6fb99c3ee31c527808c94509d4baf0

Download Submit
C:\Windows\System\UoymQvN.exe

Filesize
5.9MB

MD5
9be2758d30ef4aa7fb8a0d128aba339c

SHA1
e7b173d0af5253767e72ead1a85ece01c7dd2fc0

SHA256
49866a819f5f81c338cfb9af9b3783983b07f56688d3109084b02b3bfc732b79

SHA512
1681ca78a734d6297bf4bc0a85f825c26a1e9e197064b57c0208ab6fcacbc3adf0503c2118d3cf6eb5de0f06a31de449c1eae1f4f561a0285cbe820d33ade6ce

Download Submit
C:\Windows\System\VqUwOPm.exe

Filesize
5.9MB

MD5
3f1f192e1417471cac7546a48e991b1a

SHA1
b506c250ed9ebf486cc29e90ac1f600488472d46

SHA256
ee10fe7fe56e3269a14b2b8affacd42555099681226a08fd69d63449359e1b74

SHA512
3277f00386613936cc54b739f7e85ec670d036b30f90d68af02177b1544a67b135eca1d03bdaae4ff1e656b090b42aa8bbe5e6cf8a1fb6f6f311f89a42856322

Download Submit
C:\Windows\System\XwnyyYC.exe

Filesize
5.9MB

MD5
86ea736bbac5b94a6b89928302cf63fe

SHA1
6dec4147b34e6b3dc3810b4b1be559b4064e6759

SHA256
bb7f09b87ffce66d5a36eb0d9d31e2836775fe03697d70a06301157cf9a83fe8

SHA512
962019364df226c0c1165bd7da0ff39f3ac9523babeabea956f415f789e26f2466d1a078db4c5a1403eb7fa98a7f69bb91a9b6d2d73bf6e669c31357e9fbc975

Download Submit
C:\Windows\System\ZmcGoDL.exe

Filesize
5.9MB

MD5
15599a7c588016f3c3c5c216ba6473bd

SHA1
bd918291d2efa0342ef49376b573dd17fd6ca23c

SHA256
c73e42dba6660fede21f50171bdb6c5e4992adda4c59b5a8078e87371100e402

SHA512
e3b8c8e89293b1d4abff8021b045cd62b0e8081d6daaad5dde98b1a7a729b0e40a07514895089f4fb6eff9b9c60c42e44d073636cfaf59fcff8646127c10ac90

Download Submit
C:\Windows\System\evlfstM.exe

Filesize
5.9MB

MD5
e8383123a961e7bd9d9e7d56308ab828

SHA1
e2cae326d6720de9cc5e81cb5891a1d371627ac4

SHA256
a4f32d01a02a8595a31eb502acf8572c11b291205dd5a3dfb89ebcfcbf831c01

SHA512
ce004f30458a4b4276a96938007fad570a29a6f5e50e53cb7f1a1c0b35a1bbd73dbf279d6fdaaf9a6c95d9057603050afc084ccd659b50b6370b034f1e1195b4

Download Submit
C:\Windows\System\fanqKkp.exe

Filesize
5.9MB

MD5
1784ee0e64694181a366ad77cf299d65

SHA1
f804aa2130ca32e2b3e559b0e211020cfba38581

SHA256
5e9dc211116ffebb4bc0388bb460237342a5b3e2503a5d672e08f8cdc63b5ae7

SHA512
d92c807dfb5a4ca09f3e50d57fd9d8476baad96a7f3c1a808fafdfad9711d898f0b4907af0080493c5d5882c0779bf718ea6e37d28e9833fd6dbf5c01bbab0be

Download Submit
C:\Windows\System\kjtTqNe.exe

Filesize
5.9MB

MD5
e93c4af7de5212cf2a93b8c9e480b8d2

SHA1
a8394c06903e64456a313a93c5f81ae5ef83dfb8

SHA256
f295f708f259c5cb292976ffceadbd8d47bdbd63fb005d15dd5ab8b09b273bb8

SHA512
687f0e8af82212c1e8d91a759fb99cb26f1d019a3090656f76a2def0a064ea7f71078b054484e783f3b824f71b04ed944fefc46171275d44ec6c807a8a1be5cc

Download Submit
C:\Windows\System\ksiyeng.exe

Filesize
5.9MB

MD5
c69afba8c9aa5c6aed8efc415bf26afa

SHA1
e7ccd981edff87346ce12688cd1762599376c892

SHA256
862d7bcde835aa4792c5bcc5ebf526cb5863c238f4dbc7a91d28910e36306b93

SHA512
b1b82f2cf9c294f2c586f6eac5b59905259a470e2b932961f866790c48ecbbed87dc9a64efea07aa30bfc9299bf6b280100ff3a27a2f08ae5866c51070e4c77b

Download Submit
C:\Windows\System\mPOVKxd.exe

Filesize
5.9MB

MD5
fd9adf25237d0035eabca354ff33215b

SHA1
d9e7171b91c9104e6e3e1b9e5534637273748de3

SHA256
88ce04b810f8f20144cd9d08e8e0d2c59f9a485f22633701c60f79920c6bc33d

SHA512
2ee69ec774886d752e8ef6775e7944be0c40759cba2fdb0d64ae5e8e96bfd47683ee6399fd9353d629ad9c1a91490dee1d2cc0a1b9fcda4f5da6b14031a3b6d7

Download Submit
C:\Windows\System\mzcFpdW.exe

Filesize
5.9MB

MD5
5930ed2e08642e8436594b6b17d599a6

SHA1
a62354a1521a305cd083fe3ea7f4c2aaec41a946

SHA256
ddf8c4e9822a5e8ab726dccff10fcf111169c830ab3533ba1388cca460105920

SHA512
673c984286007cf9ed15aa158e2a4eba182c3eef02196ce040c8136d54f240d8d6c7ce829ab1c14914f3a0c455026e6f68ca60752edb017bed70f612a47615d6

Download Submit
C:\Windows\System\naSugWV.exe

Filesize
5.9MB

MD5
c24fc6f559172ed417c4c2aafb13d56c

SHA1
d7ee820f35a6e3c76edbbe7486c0b00b24841870

SHA256
72dcca7ff50612cff0508ebfba2910fd06a5c1ab260b116ae45cef60a5002d7b

SHA512
9945efd9b41b347411c61429d741f1da282bddd2aee4bb66e09585d6ed0dae9f4643bb3b8f76179ff13be02c190eb5524b758d1e047fce3e45b3c26e56412cc8

Download Submit
C:\Windows\System\ntzEHNA.exe

Filesize
5.9MB

MD5
148c12a5a831fba5d35d0ef1a242d93b

SHA1
23522201d4fbeaccd76134c2e6e807883cd7aaa7

SHA256
346f83e0cea24a4af29fa3aa9c80767c02d109dfa71f16b57b8b594d3002d08c

SHA512
9b4e99241bd585c2aedd130c1f0cbdef2b54e835a3bea9cb51dfbd651fa02faed9eb7146f8fc5c4850a1c8528787ab2d3e9a77cc2b9e6795f68f776d19d25bff

Download Submit
C:\Windows\System\xqmMMRL.exe

Filesize
5.9MB

MD5
2cfe9832a04c4f26659acb0a3a3371e5

SHA1
c04f5c80c4c5a6ae4e96694b0450bbb30c439333

SHA256
d62add31b9462c5e816f57eb17baf6ed9ec30fd62b979d6073a64a9788c0275e

SHA512
c4bbb1f015e07298d4a03731dfc1c985ccb2d24be90b126f8e055f9b41bd1ed28a6483f2f6e75051ab9d0e8e1c24c0764f4324d9ae6088e72d072f48b99ac2e6

Download Submit
memory/60-147-0x00007FF7A57C0000-0x00007FF7A5B14000-memory.dmp

Filesize
3.3MB

Download
memory/60-38-0x00007FF7A57C0000-0x00007FF7A5B14000-memory.dmp

Filesize
3.3MB

Download
memory/456-11-0x00007FF6946A0000-0x00007FF6949F4000-memory.dmp

Filesize
3.3MB

Download
memory/456-142-0x00007FF6946A0000-0x00007FF6949F4000-memory.dmp

Filesize
3.3MB

Download
memory/620-88-0x00007FF7F0460000-0x00007FF7F07B4000-memory.dmp

Filesize
3.3MB

Download
memory/620-154-0x00007FF7F0460000-0x00007FF7F07B4000-memory.dmp

Filesize
3.3MB

Download
memory/756-153-0x00007FF734490000-0x00007FF7347E4000-memory.dmp

Filesize
3.3MB

Download
memory/756-134-0x00007FF734490000-0x00007FF7347E4000-memory.dmp

Filesize
3.3MB

Download
memory/756-75-0x00007FF734490000-0x00007FF7347E4000-memory.dmp

Filesize
3.3MB

Download
memory/1532-146-0x00007FF60A3B0000-0x00007FF60A704000-memory.dmp

Filesize
3.3MB

Download
memory/1532-32-0x00007FF60A3B0000-0x00007FF60A704000-memory.dmp

Filesize
3.3MB

Download
memory/1868-143-0x00007FF7BA650000-0x00007FF7BA9A4000-memory.dmp

Filesize
3.3MB

Download
memory/1868-82-0x00007FF7BA650000-0x00007FF7BA9A4000-memory.dmp

Filesize
3.3MB

Download
memory/1868-14-0x00007FF7BA650000-0x00007FF7BA9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2156-151-0x00007FF726D10000-0x00007FF727064000-memory.dmp

Filesize
3.3MB

Download
memory/2156-132-0x00007FF726D10000-0x00007FF727064000-memory.dmp

Filesize
3.3MB

Download
memory/2156-60-0x00007FF726D10000-0x00007FF727064000-memory.dmp

Filesize
3.3MB

Download
memory/2268-111-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2268-148-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2268-43-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2512-140-0x00007FF622FA0000-0x00007FF6232F4000-memory.dmp

Filesize
3.3MB

Download
memory/2512-127-0x00007FF622FA0000-0x00007FF6232F4000-memory.dmp

Filesize
3.3MB

Download
memory/2512-162-0x00007FF622FA0000-0x00007FF6232F4000-memory.dmp

Filesize
3.3MB

Download
memory/2956-119-0x00007FF7B8DB0000-0x00007FF7B9104000-memory.dmp

Filesize
3.3MB

Download
memory/2956-158-0x00007FF7B8DB0000-0x00007FF7B9104000-memory.dmp

Filesize
3.3MB

Download
memory/3104-160-0x00007FF7296A0000-0x00007FF7299F4000-memory.dmp

Filesize
3.3MB

Download
memory/3104-110-0x00007FF7296A0000-0x00007FF7299F4000-memory.dmp

Filesize
3.3MB

Download
memory/3104-138-0x00007FF7296A0000-0x00007FF7299F4000-memory.dmp

Filesize
3.3MB

Download
memory/3252-67-0x00007FF68E600000-0x00007FF68E954000-memory.dmp

Filesize
3.3MB

Download
memory/3252-1-0x0000021FC46C0000-0x0000021FC46D0000-memory.dmp

Filesize
64KB

Download
memory/3252-0-0x00007FF68E600000-0x00007FF68E954000-memory.dmp

Filesize
3.3MB

Download
memory/3300-137-0x00007FF7211F0000-0x00007FF721544000-memory.dmp

Filesize
3.3MB

Download
memory/3300-102-0x00007FF7211F0000-0x00007FF721544000-memory.dmp

Filesize
3.3MB

Download
memory/3300-157-0x00007FF7211F0000-0x00007FF721544000-memory.dmp

Filesize
3.3MB

Download
memory/3376-135-0x00007FF6756F0000-0x00007FF675A44000-memory.dmp

Filesize
3.3MB

Download
memory/3376-155-0x00007FF6756F0000-0x00007FF675A44000-memory.dmp

Filesize
3.3MB

Download
memory/3376-89-0x00007FF6756F0000-0x00007FF675A44000-memory.dmp

Filesize
3.3MB

Download
memory/3556-150-0x00007FF664C20000-0x00007FF664F74000-memory.dmp

Filesize
3.3MB

Download
memory/3556-58-0x00007FF664C20000-0x00007FF664F74000-memory.dmp

Filesize
3.3MB

Download
memory/3652-92-0x00007FF7980D0000-0x00007FF798424000-memory.dmp

Filesize
3.3MB

Download
memory/3652-156-0x00007FF7980D0000-0x00007FF798424000-memory.dmp

Filesize
3.3MB

Download
memory/3652-136-0x00007FF7980D0000-0x00007FF798424000-memory.dmp

Filesize
3.3MB

Download
memory/3832-141-0x00007FF6D20D0000-0x00007FF6D2424000-memory.dmp

Filesize
3.3MB

Download
memory/3832-131-0x00007FF6D20D0000-0x00007FF6D2424000-memory.dmp

Filesize
3.3MB

Download
memory/3832-161-0x00007FF6D20D0000-0x00007FF6D2424000-memory.dmp

Filesize
3.3MB

Download
memory/4300-50-0x00007FF7A37A0000-0x00007FF7A3AF4000-memory.dmp

Filesize
3.3MB

Download
memory/4300-149-0x00007FF7A37A0000-0x00007FF7A3AF4000-memory.dmp

Filesize
3.3MB

Download
memory/4416-144-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/4416-22-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/4416-90-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/4532-152-0x00007FF6BFC60000-0x00007FF6BFFB4000-memory.dmp

Filesize
3.3MB

Download
memory/4532-133-0x00007FF6BFC60000-0x00007FF6BFFB4000-memory.dmp

Filesize
3.3MB

Download
memory/4532-71-0x00007FF6BFC60000-0x00007FF6BFFB4000-memory.dmp

Filesize
3.3MB

Download
memory/4808-139-0x00007FF788C70000-0x00007FF788FC4000-memory.dmp

Filesize
3.3MB

Download
memory/4808-159-0x00007FF788C70000-0x00007FF788FC4000-memory.dmp

Filesize
3.3MB

Download
memory/4808-123-0x00007FF788C70000-0x00007FF788FC4000-memory.dmp

Filesize
3.3MB

Download
memory/4860-31-0x00007FF7A0AC0000-0x00007FF7A0E14000-memory.dmp

Filesize
3.3MB

Download
memory/4860-145-0x00007FF7A0AC0000-0x00007FF7A0E14000-memory.dmp

Filesize
3.3MB

Download