cobaltstrike | 22b3b0bfee8fb20c4d66b5f889b72b1ea4ab3d475ec1115ecb5b16dd472fd315

Analysis

max time kernel
138s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

56d8a404a340854d9b49c1b2a36a3905
SHA1

b525f3cda9bc3ef3bf3329e9cd5b68c3bafcbcc2
SHA256

22b3b0bfee8fb20c4d66b5f889b72b1ea4ab3d475ec1115ecb5b16dd472fd315
SHA512

0bfcdc06413b66ddbb9c713e79bb3edf6769240182249289d793ff5f2fce79084a4f2e3c8b18b885b5713bc86c43c658e45563d5305667f33260df4731e8b58d
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUc:T+856utgpPF8u/7c

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00080000000233e9-5.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ee-17.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ed-15.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ef-23.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000233ea-28.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f0-39.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f3-46.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f4-56.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f7-70.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f6-75.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f5-72.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f1-51.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f2-44.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f8-83.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233f9-89.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fb-101.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fa-99.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fd-115.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233ff-120.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fe-121.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000233fc-110.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x00080000000233e9-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233ee-17.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233ed-15.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233ef-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00080000000233ea-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f0-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f3-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f4-56.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f7-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f6-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f5-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f1-51.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f2-44.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f8-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233f9-89.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fb-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fa-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fd-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233ff-120.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fe-121.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000233fc-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4308-0-0x00007FF7D41B0000-0x00007FF7D4504000-memory.dmp	UPX
behavioral2/files/0x00080000000233e9-5.dat	UPX
behavioral2/memory/2360-12-0x00007FF71D820000-0x00007FF71DB74000-memory.dmp	UPX
behavioral2/files/0x00070000000233ee-17.dat	UPX
behavioral2/memory/5032-20-0x00007FF7F50B0000-0x00007FF7F5404000-memory.dmp	UPX
behavioral2/files/0x00070000000233ed-15.dat	UPX
behavioral2/memory/4596-11-0x00007FF6B0BE0000-0x00007FF6B0F34000-memory.dmp	UPX
behavioral2/files/0x00070000000233ef-23.dat	UPX
behavioral2/memory/3728-24-0x00007FF648CB0000-0x00007FF649004000-memory.dmp	UPX
behavioral2/files/0x00080000000233ea-28.dat	UPX
behavioral2/memory/2416-34-0x00007FF78F7A0000-0x00007FF78FAF4000-memory.dmp	UPX
behavioral2/files/0x00070000000233f0-39.dat	UPX
behavioral2/files/0x00070000000233f3-46.dat	UPX
behavioral2/files/0x00070000000233f4-56.dat	UPX
behavioral2/files/0x00070000000233f7-70.dat	UPX
behavioral2/memory/3392-74-0x00007FF79FDD0000-0x00007FF7A0124000-memory.dmp	UPX
behavioral2/memory/3828-79-0x00007FF760B00000-0x00007FF760E54000-memory.dmp	UPX
behavioral2/files/0x00070000000233f6-75.dat	UPX
behavioral2/files/0x00070000000233f5-72.dat	UPX
behavioral2/memory/4056-71-0x00007FF6387F0000-0x00007FF638B44000-memory.dmp	UPX
behavioral2/memory/3536-64-0x00007FF657CD0000-0x00007FF658024000-memory.dmp	UPX
behavioral2/memory/1860-63-0x00007FF63A130000-0x00007FF63A484000-memory.dmp	UPX
behavioral2/memory/928-57-0x00007FF766D60000-0x00007FF7670B4000-memory.dmp	UPX
behavioral2/memory/3612-50-0x00007FF704500000-0x00007FF704854000-memory.dmp	UPX
behavioral2/files/0x00070000000233f1-51.dat	UPX
behavioral2/files/0x00070000000233f2-44.dat	UPX
behavioral2/memory/60-41-0x00007FF613290000-0x00007FF6135E4000-memory.dmp	UPX
behavioral2/files/0x00070000000233f8-83.dat	UPX
behavioral2/files/0x00070000000233f9-89.dat	UPX
behavioral2/memory/4308-95-0x00007FF7D41B0000-0x00007FF7D4504000-memory.dmp	UPX
behavioral2/files/0x00070000000233fb-101.dat	UPX
behavioral2/files/0x00070000000233fa-99.dat	UPX
behavioral2/memory/1112-103-0x00007FF7FD580000-0x00007FF7FD8D4000-memory.dmp	UPX
behavioral2/files/0x00070000000233fd-115.dat	UPX
behavioral2/files/0x00070000000233ff-120.dat	UPX
behavioral2/files/0x00070000000233fe-121.dat	UPX
behavioral2/memory/5004-113-0x00007FF610740000-0x00007FF610A94000-memory.dmp	UPX
behavioral2/files/0x00070000000233fc-110.dat	UPX
behavioral2/memory/4860-98-0x00007FF6B60D0000-0x00007FF6B6424000-memory.dmp	UPX
behavioral2/memory/4568-87-0x00007FF6FA3D0000-0x00007FF6FA724000-memory.dmp	UPX
behavioral2/memory/3400-127-0x00007FF6D4E70000-0x00007FF6D51C4000-memory.dmp	UPX
behavioral2/memory/1764-126-0x00007FF719E40000-0x00007FF71A194000-memory.dmp	UPX
behavioral2/memory/2360-128-0x00007FF71D820000-0x00007FF71DB74000-memory.dmp	UPX
behavioral2/memory/4420-129-0x00007FF77E840000-0x00007FF77EB94000-memory.dmp	UPX
behavioral2/memory/3204-125-0x00007FF7136F0000-0x00007FF713A44000-memory.dmp	UPX
behavioral2/memory/3728-130-0x00007FF648CB0000-0x00007FF649004000-memory.dmp	UPX
behavioral2/memory/928-131-0x00007FF766D60000-0x00007FF7670B4000-memory.dmp	UPX
behavioral2/memory/60-132-0x00007FF613290000-0x00007FF6135E4000-memory.dmp	UPX
behavioral2/memory/3612-133-0x00007FF704500000-0x00007FF704854000-memory.dmp	UPX
behavioral2/memory/3536-134-0x00007FF657CD0000-0x00007FF658024000-memory.dmp	UPX
behavioral2/memory/4056-135-0x00007FF6387F0000-0x00007FF638B44000-memory.dmp	UPX
behavioral2/memory/3392-136-0x00007FF79FDD0000-0x00007FF7A0124000-memory.dmp	UPX
behavioral2/memory/3828-137-0x00007FF760B00000-0x00007FF760E54000-memory.dmp	UPX
behavioral2/memory/4568-138-0x00007FF6FA3D0000-0x00007FF6FA724000-memory.dmp	UPX
behavioral2/memory/4596-139-0x00007FF6B0BE0000-0x00007FF6B0F34000-memory.dmp	UPX
behavioral2/memory/2360-140-0x00007FF71D820000-0x00007FF71DB74000-memory.dmp	UPX
behavioral2/memory/5032-141-0x00007FF7F50B0000-0x00007FF7F5404000-memory.dmp	UPX
behavioral2/memory/3728-142-0x00007FF648CB0000-0x00007FF649004000-memory.dmp	UPX
behavioral2/memory/2416-143-0x00007FF78F7A0000-0x00007FF78FAF4000-memory.dmp	UPX
behavioral2/memory/1860-144-0x00007FF63A130000-0x00007FF63A484000-memory.dmp	UPX
behavioral2/memory/60-146-0x00007FF613290000-0x00007FF6135E4000-memory.dmp	UPX
behavioral2/memory/3612-145-0x00007FF704500000-0x00007FF704854000-memory.dmp	UPX
behavioral2/memory/3536-147-0x00007FF657CD0000-0x00007FF658024000-memory.dmp	UPX
behavioral2/memory/928-148-0x00007FF766D60000-0x00007FF7670B4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4308-0-0x00007FF7D41B0000-0x00007FF7D4504000-memory.dmp	xmrig
behavioral2/files/0x00080000000233e9-5.dat	xmrig
behavioral2/memory/2360-12-0x00007FF71D820000-0x00007FF71DB74000-memory.dmp	xmrig
behavioral2/files/0x00070000000233ee-17.dat	xmrig
behavioral2/memory/5032-20-0x00007FF7F50B0000-0x00007FF7F5404000-memory.dmp	xmrig
behavioral2/files/0x00070000000233ed-15.dat	xmrig
behavioral2/memory/4596-11-0x00007FF6B0BE0000-0x00007FF6B0F34000-memory.dmp	xmrig
behavioral2/files/0x00070000000233ef-23.dat	xmrig
behavioral2/memory/3728-24-0x00007FF648CB0000-0x00007FF649004000-memory.dmp	xmrig
behavioral2/files/0x00080000000233ea-28.dat	xmrig
behavioral2/memory/2416-34-0x00007FF78F7A0000-0x00007FF78FAF4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f0-39.dat	xmrig
behavioral2/files/0x00070000000233f3-46.dat	xmrig
behavioral2/files/0x00070000000233f4-56.dat	xmrig
behavioral2/files/0x00070000000233f7-70.dat	xmrig
behavioral2/memory/3392-74-0x00007FF79FDD0000-0x00007FF7A0124000-memory.dmp	xmrig
behavioral2/memory/3828-79-0x00007FF760B00000-0x00007FF760E54000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f6-75.dat	xmrig
behavioral2/files/0x00070000000233f5-72.dat	xmrig
behavioral2/memory/4056-71-0x00007FF6387F0000-0x00007FF638B44000-memory.dmp	xmrig
behavioral2/memory/3536-64-0x00007FF657CD0000-0x00007FF658024000-memory.dmp	xmrig
behavioral2/memory/1860-63-0x00007FF63A130000-0x00007FF63A484000-memory.dmp	xmrig
behavioral2/memory/928-57-0x00007FF766D60000-0x00007FF7670B4000-memory.dmp	xmrig
behavioral2/memory/3612-50-0x00007FF704500000-0x00007FF704854000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f1-51.dat	xmrig
behavioral2/files/0x00070000000233f2-44.dat	xmrig
behavioral2/memory/60-41-0x00007FF613290000-0x00007FF6135E4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f8-83.dat	xmrig
behavioral2/files/0x00070000000233f9-89.dat	xmrig
behavioral2/memory/4308-95-0x00007FF7D41B0000-0x00007FF7D4504000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fb-101.dat	xmrig
behavioral2/files/0x00070000000233fa-99.dat	xmrig
behavioral2/memory/1112-103-0x00007FF7FD580000-0x00007FF7FD8D4000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fd-115.dat	xmrig
behavioral2/files/0x00070000000233ff-120.dat	xmrig
behavioral2/files/0x00070000000233fe-121.dat	xmrig
behavioral2/memory/5004-113-0x00007FF610740000-0x00007FF610A94000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fc-110.dat	xmrig
behavioral2/memory/4860-98-0x00007FF6B60D0000-0x00007FF6B6424000-memory.dmp	xmrig
behavioral2/memory/4568-87-0x00007FF6FA3D0000-0x00007FF6FA724000-memory.dmp	xmrig
behavioral2/memory/3400-127-0x00007FF6D4E70000-0x00007FF6D51C4000-memory.dmp	xmrig
behavioral2/memory/1764-126-0x00007FF719E40000-0x00007FF71A194000-memory.dmp	xmrig
behavioral2/memory/2360-128-0x00007FF71D820000-0x00007FF71DB74000-memory.dmp	xmrig
behavioral2/memory/4420-129-0x00007FF77E840000-0x00007FF77EB94000-memory.dmp	xmrig
behavioral2/memory/3204-125-0x00007FF7136F0000-0x00007FF713A44000-memory.dmp	xmrig
behavioral2/memory/3728-130-0x00007FF648CB0000-0x00007FF649004000-memory.dmp	xmrig
behavioral2/memory/928-131-0x00007FF766D60000-0x00007FF7670B4000-memory.dmp	xmrig
behavioral2/memory/60-132-0x00007FF613290000-0x00007FF6135E4000-memory.dmp	xmrig
behavioral2/memory/3612-133-0x00007FF704500000-0x00007FF704854000-memory.dmp	xmrig
behavioral2/memory/3536-134-0x00007FF657CD0000-0x00007FF658024000-memory.dmp	xmrig
behavioral2/memory/4056-135-0x00007FF6387F0000-0x00007FF638B44000-memory.dmp	xmrig
behavioral2/memory/3392-136-0x00007FF79FDD0000-0x00007FF7A0124000-memory.dmp	xmrig
behavioral2/memory/3828-137-0x00007FF760B00000-0x00007FF760E54000-memory.dmp	xmrig
behavioral2/memory/4568-138-0x00007FF6FA3D0000-0x00007FF6FA724000-memory.dmp	xmrig
behavioral2/memory/4596-139-0x00007FF6B0BE0000-0x00007FF6B0F34000-memory.dmp	xmrig
behavioral2/memory/2360-140-0x00007FF71D820000-0x00007FF71DB74000-memory.dmp	xmrig
behavioral2/memory/5032-141-0x00007FF7F50B0000-0x00007FF7F5404000-memory.dmp	xmrig
behavioral2/memory/3728-142-0x00007FF648CB0000-0x00007FF649004000-memory.dmp	xmrig
behavioral2/memory/2416-143-0x00007FF78F7A0000-0x00007FF78FAF4000-memory.dmp	xmrig
behavioral2/memory/1860-144-0x00007FF63A130000-0x00007FF63A484000-memory.dmp	xmrig
behavioral2/memory/60-146-0x00007FF613290000-0x00007FF6135E4000-memory.dmp	xmrig
behavioral2/memory/3612-145-0x00007FF704500000-0x00007FF704854000-memory.dmp	xmrig
behavioral2/memory/3536-147-0x00007FF657CD0000-0x00007FF658024000-memory.dmp	xmrig
behavioral2/memory/928-148-0x00007FF766D60000-0x00007FF7670B4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4596	fTDtoCc.exe
2360	QoShFrf.exe
5032	pMapoWR.exe
3728	IpiBgVp.exe
2416	acVwAAu.exe
60	XltWRBO.exe
3612	NSCvBax.exe
1860	fmrzcNc.exe
928	QMxhTQs.exe
3536	pUdOccS.exe
3392	lSZgdKH.exe
3828	JfRPJrV.exe
4056	NdMHkUQ.exe
4568	jHuSMRR.exe
4860	zKHCZkm.exe
1112	kgTVGoO.exe
3204	RPevOSp.exe
5004	ZGGnNwl.exe
1764	bUPrxda.exe
4420	vZrzMAs.exe
3400	zSACdna.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4308-0-0x00007FF7D41B0000-0x00007FF7D4504000-memory.dmp	upx
behavioral2/files/0x00080000000233e9-5.dat	upx
behavioral2/memory/2360-12-0x00007FF71D820000-0x00007FF71DB74000-memory.dmp	upx
behavioral2/files/0x00070000000233ee-17.dat	upx
behavioral2/memory/5032-20-0x00007FF7F50B0000-0x00007FF7F5404000-memory.dmp	upx
behavioral2/files/0x00070000000233ed-15.dat	upx
behavioral2/memory/4596-11-0x00007FF6B0BE0000-0x00007FF6B0F34000-memory.dmp	upx
behavioral2/files/0x00070000000233ef-23.dat	upx
behavioral2/memory/3728-24-0x00007FF648CB0000-0x00007FF649004000-memory.dmp	upx
behavioral2/files/0x00080000000233ea-28.dat	upx
behavioral2/memory/2416-34-0x00007FF78F7A0000-0x00007FF78FAF4000-memory.dmp	upx
behavioral2/files/0x00070000000233f0-39.dat	upx
behavioral2/files/0x00070000000233f3-46.dat	upx
behavioral2/files/0x00070000000233f4-56.dat	upx
behavioral2/files/0x00070000000233f7-70.dat	upx
behavioral2/memory/3392-74-0x00007FF79FDD0000-0x00007FF7A0124000-memory.dmp	upx
behavioral2/memory/3828-79-0x00007FF760B00000-0x00007FF760E54000-memory.dmp	upx
behavioral2/files/0x00070000000233f6-75.dat	upx
behavioral2/files/0x00070000000233f5-72.dat	upx
behavioral2/memory/4056-71-0x00007FF6387F0000-0x00007FF638B44000-memory.dmp	upx
behavioral2/memory/3536-64-0x00007FF657CD0000-0x00007FF658024000-memory.dmp	upx
behavioral2/memory/1860-63-0x00007FF63A130000-0x00007FF63A484000-memory.dmp	upx
behavioral2/memory/928-57-0x00007FF766D60000-0x00007FF7670B4000-memory.dmp	upx
behavioral2/memory/3612-50-0x00007FF704500000-0x00007FF704854000-memory.dmp	upx
behavioral2/files/0x00070000000233f1-51.dat	upx
behavioral2/files/0x00070000000233f2-44.dat	upx
behavioral2/memory/60-41-0x00007FF613290000-0x00007FF6135E4000-memory.dmp	upx
behavioral2/files/0x00070000000233f8-83.dat	upx
behavioral2/files/0x00070000000233f9-89.dat	upx
behavioral2/memory/4308-95-0x00007FF7D41B0000-0x00007FF7D4504000-memory.dmp	upx
behavioral2/files/0x00070000000233fb-101.dat	upx
behavioral2/files/0x00070000000233fa-99.dat	upx
behavioral2/memory/1112-103-0x00007FF7FD580000-0x00007FF7FD8D4000-memory.dmp	upx
behavioral2/files/0x00070000000233fd-115.dat	upx
behavioral2/files/0x00070000000233ff-120.dat	upx
behavioral2/files/0x00070000000233fe-121.dat	upx
behavioral2/memory/5004-113-0x00007FF610740000-0x00007FF610A94000-memory.dmp	upx
behavioral2/files/0x00070000000233fc-110.dat	upx
behavioral2/memory/4860-98-0x00007FF6B60D0000-0x00007FF6B6424000-memory.dmp	upx
behavioral2/memory/4568-87-0x00007FF6FA3D0000-0x00007FF6FA724000-memory.dmp	upx
behavioral2/memory/3400-127-0x00007FF6D4E70000-0x00007FF6D51C4000-memory.dmp	upx
behavioral2/memory/1764-126-0x00007FF719E40000-0x00007FF71A194000-memory.dmp	upx
behavioral2/memory/2360-128-0x00007FF71D820000-0x00007FF71DB74000-memory.dmp	upx
behavioral2/memory/4420-129-0x00007FF77E840000-0x00007FF77EB94000-memory.dmp	upx
behavioral2/memory/3204-125-0x00007FF7136F0000-0x00007FF713A44000-memory.dmp	upx
behavioral2/memory/3728-130-0x00007FF648CB0000-0x00007FF649004000-memory.dmp	upx
behavioral2/memory/928-131-0x00007FF766D60000-0x00007FF7670B4000-memory.dmp	upx
behavioral2/memory/60-132-0x00007FF613290000-0x00007FF6135E4000-memory.dmp	upx
behavioral2/memory/3612-133-0x00007FF704500000-0x00007FF704854000-memory.dmp	upx
behavioral2/memory/3536-134-0x00007FF657CD0000-0x00007FF658024000-memory.dmp	upx
behavioral2/memory/4056-135-0x00007FF6387F0000-0x00007FF638B44000-memory.dmp	upx
behavioral2/memory/3392-136-0x00007FF79FDD0000-0x00007FF7A0124000-memory.dmp	upx
behavioral2/memory/3828-137-0x00007FF760B00000-0x00007FF760E54000-memory.dmp	upx
behavioral2/memory/4568-138-0x00007FF6FA3D0000-0x00007FF6FA724000-memory.dmp	upx
behavioral2/memory/4596-139-0x00007FF6B0BE0000-0x00007FF6B0F34000-memory.dmp	upx
behavioral2/memory/2360-140-0x00007FF71D820000-0x00007FF71DB74000-memory.dmp	upx
behavioral2/memory/5032-141-0x00007FF7F50B0000-0x00007FF7F5404000-memory.dmp	upx
behavioral2/memory/3728-142-0x00007FF648CB0000-0x00007FF649004000-memory.dmp	upx
behavioral2/memory/2416-143-0x00007FF78F7A0000-0x00007FF78FAF4000-memory.dmp	upx
behavioral2/memory/1860-144-0x00007FF63A130000-0x00007FF63A484000-memory.dmp	upx
behavioral2/memory/60-146-0x00007FF613290000-0x00007FF6135E4000-memory.dmp	upx
behavioral2/memory/3612-145-0x00007FF704500000-0x00007FF704854000-memory.dmp	upx
behavioral2/memory/3536-147-0x00007FF657CD0000-0x00007FF658024000-memory.dmp	upx
behavioral2/memory/928-148-0x00007FF766D60000-0x00007FF7670B4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\jHuSMRR.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IpiBgVp.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fmrzcNc.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pUdOccS.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zKHCZkm.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kgTVGoO.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RPevOSp.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pMapoWR.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\acVwAAu.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NdMHkUQ.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZGGnNwl.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bUPrxda.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vZrzMAs.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XltWRBO.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lSZgdKH.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JfRPJrV.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QMxhTQs.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zSACdna.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fTDtoCc.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QoShFrf.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NSCvBax.exe	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 4596	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	82
PID 4308 wrote to memory of 4596	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	82
PID 4308 wrote to memory of 2360	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	83
PID 4308 wrote to memory of 2360	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	83
PID 4308 wrote to memory of 5032	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	84
PID 4308 wrote to memory of 5032	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	84
PID 4308 wrote to memory of 3728	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	85
PID 4308 wrote to memory of 3728	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	85
PID 4308 wrote to memory of 2416	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	86
PID 4308 wrote to memory of 2416	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	86
PID 4308 wrote to memory of 3612	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	90
PID 4308 wrote to memory of 3612	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	90
PID 4308 wrote to memory of 60	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	91
PID 4308 wrote to memory of 60	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	91
PID 4308 wrote to memory of 1860	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	92
PID 4308 wrote to memory of 1860	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	92
PID 4308 wrote to memory of 928	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	93
PID 4308 wrote to memory of 928	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	93
PID 4308 wrote to memory of 3536	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	94
PID 4308 wrote to memory of 3536	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	94
PID 4308 wrote to memory of 3392	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	95
PID 4308 wrote to memory of 3392	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	95
PID 4308 wrote to memory of 3828	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	96
PID 4308 wrote to memory of 3828	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	96
PID 4308 wrote to memory of 4056	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	97
PID 4308 wrote to memory of 4056	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	97
PID 4308 wrote to memory of 4568	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	98
PID 4308 wrote to memory of 4568	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	98
PID 4308 wrote to memory of 4860	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	99
PID 4308 wrote to memory of 4860	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	99
PID 4308 wrote to memory of 1112	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	100
PID 4308 wrote to memory of 1112	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	100
PID 4308 wrote to memory of 3204	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	101
PID 4308 wrote to memory of 3204	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	101
PID 4308 wrote to memory of 5004	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	102
PID 4308 wrote to memory of 5004	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	102
PID 4308 wrote to memory of 1764	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	103
PID 4308 wrote to memory of 1764	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	103
PID 4308 wrote to memory of 4420	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	104
PID 4308 wrote to memory of 4420	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	104
PID 4308 wrote to memory of 3400	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	105
PID 4308 wrote to memory of 3400	4308	2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_56d8a404a340854d9b49c1b2a36a3905_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\System\fTDtoCc.exe
  C:\Windows\System\fTDtoCc.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\QoShFrf.exe
  C:\Windows\System\QoShFrf.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\pMapoWR.exe
  C:\Windows\System\pMapoWR.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\IpiBgVp.exe
  C:\Windows\System\IpiBgVp.exe
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Windows\System\acVwAAu.exe
  C:\Windows\System\acVwAAu.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\NSCvBax.exe
  C:\Windows\System\NSCvBax.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System\XltWRBO.exe
  C:\Windows\System\XltWRBO.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\fmrzcNc.exe
  C:\Windows\System\fmrzcNc.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System\QMxhTQs.exe
  C:\Windows\System\QMxhTQs.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System\pUdOccS.exe
  C:\Windows\System\pUdOccS.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\lSZgdKH.exe
  C:\Windows\System\lSZgdKH.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System\JfRPJrV.exe
  C:\Windows\System\JfRPJrV.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System\NdMHkUQ.exe
  C:\Windows\System\NdMHkUQ.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\jHuSMRR.exe
  C:\Windows\System\jHuSMRR.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\zKHCZkm.exe
  C:\Windows\System\zKHCZkm.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\kgTVGoO.exe
  C:\Windows\System\kgTVGoO.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System\RPevOSp.exe
  C:\Windows\System\RPevOSp.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\ZGGnNwl.exe
  C:\Windows\System\ZGGnNwl.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\bUPrxda.exe
  C:\Windows\System\bUPrxda.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System\vZrzMAs.exe
  C:\Windows\System\vZrzMAs.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System\zSACdna.exe
  C:\Windows\System\zSACdna.exe
  2⤵
  - Executes dropped EXE
  PID:3400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\IpiBgVp.exe

Filesize
5.9MB

MD5
267f533f7b81071b75b04191b994450a

SHA1
4fab50564338f59502465813f8e6a1a2aec33d94

SHA256
2456deb0a413c249f546444d073d30bbd081dfc1c5161adba5365f556476f436

SHA512
811a3f80ab98f6e3738fb507f773655181ee4247b6e083d803f7012bf9a8baa6a80126c274935f7463a1b32f3a7689fb1e0e436ae0541d1d23ed8f4f320f2fd5

Download Submit
C:\Windows\System\JfRPJrV.exe

Filesize
5.9MB

MD5
b38fc40033dc0be7573af040ede5eb23

SHA1
67163f43af9ff7372c7c19bca07e9942e0c24e5f

SHA256
8f743f936c3f78fa237570ecae9bb51347825e93d9f966709d97e21931c6906b

SHA512
9f24a2cd0c82357e40a208e08313d357d0e93e038d42442d404d5e5aa8d7b5c360c927d87e55f7e41a8746fdfc710c43d471b4e9417321927cbecb756776ebed

Download Submit
C:\Windows\System\NSCvBax.exe

Filesize
5.9MB

MD5
1b19bf28a64dbca7f93b34a9d9db8c42

SHA1
b4831633747850a7d58e87a25d780c882050b015

SHA256
388e5577296815223ba1ed7225bdf3a984f193db50f28e191c993edd7c9b1cf8

SHA512
461bde6a530bf894468e6613bf5cb33219cfe280c8aa0d602e5f0945ce0a3d3738ac6d08b47642200389f9a6ced51f5567aed7c773a85a8988d9419266b8aa30

Download Submit
C:\Windows\System\NdMHkUQ.exe

Filesize
5.9MB

MD5
5adf7c9e22dbe0bc318b542f41fff1b9

SHA1
5cdbc3137af5f3d77cc24d9d19c1cbb5e90f1ed9

SHA256
d770257a2083fb45c7321a55a9ec114598bfa86e59a4cb4755e2f5128fc8fd30

SHA512
dab7fec9cb732f8c402786bba9397018bdc8c7d7a970f104918713f5e5d9cda3c3ee9c958b310eae63d26d893b9a69264b3d7cee6effe7eebd84a32db2197d06

Download Submit
C:\Windows\System\QMxhTQs.exe

Filesize
5.9MB

MD5
8a6e8f0ec95b5878970d10acd5c15d6a

SHA1
7752d4754d6599695db9e597859aeb16eed21d2c

SHA256
6dcb61ab7c3be4065941f0dd34d3c1ab7ba8fe1b574c537528c94c90c20f2fe8

SHA512
bcd57f3ba7a5a5cb83905e0d11fb576f7d38b2f710b95d4d117083bf28139a13e3554c125e9599309f575f5476fcd0f5c2d32631d942f03e37f3e17bbdf8465a

Download Submit
C:\Windows\System\QoShFrf.exe

Filesize
5.9MB

MD5
ef74639c7568f61a6f1918922993aab6

SHA1
dc8cbac27711f9e2d8551c1c25859217d616aa8a

SHA256
ea4744601144e7eb8d3282a618de6732c540cfc734a29cdf3070c0f7f9990794

SHA512
c3c2ee0481cae33693df0fff6f966f541fd400383f0c94fc694c25d966f410374980166a0d3669c2dd36851306675aa9a67d47bcc3a3aae9e2b6935379d081f7

Download Submit
C:\Windows\System\RPevOSp.exe

Filesize
5.9MB

MD5
800ee57d1f86342ecb2ef086a7af97dd

SHA1
43c00109e9c36ede6479ed4e47b28a33b30e4e58

SHA256
84fa29f2d335555d9d4bb417fd11c3a331dd57d10f4d8a119eae40900be622c5

SHA512
ba90fe9ea9d4399291d03c42bf9322b59bd3498b7b18bc21d92ba7077ac7abdd381248ae49106863927a91f9223de46f161808ebe43633f86520122306ccde9f

Download Submit
C:\Windows\System\XltWRBO.exe

Filesize
5.9MB

MD5
2c11b3f36dd7689ad22062511c508d40

SHA1
d12495446e841852eb7cdc6b0923cc1773bf51f6

SHA256
ec29552c5a9504b01fc8b15b617ea1bd88c74c40e5b704627fe71e2acabed7c0

SHA512
9f817d47ea7a41dbb46705fcfcf5d3a895055cb0d056bedea1076b3d625c9d9fac28c5c6ed3845eb52736c8cd0613b4d7c9d3ca7a9ca21df08839f6fcde38fbb

Download Submit
C:\Windows\System\ZGGnNwl.exe

Filesize
5.9MB

MD5
57fe48e161124f67d5a714c1919948da

SHA1
6196d46f2f8d62f8874044bed1830f43e79e568a

SHA256
e37722d678a59b843e7abb2b2b388057bfea3817f5be773013b9a46984a90eb8

SHA512
dc85f4157ae8296ce3d737bd12185831a9792177112b815f30211eba1d474672d18759c2b0bd69ab0b69f62e9d5c9a8a2a732228c88faa8a0580d74d9bf90b03

Download Submit
C:\Windows\System\acVwAAu.exe

Filesize
5.9MB

MD5
33456c07591efd1682991eb143997f8a

SHA1
8ab0a3c81b35c4d1be2020663da3d692e75b5fa2

SHA256
2d472391269fd1d4ca13fcb4bc24ef689702bcbcb426c14dce22f892f72f955c

SHA512
18061700a426fc7160fc9ea9aea448f82edde508c1538c229d100eae378bd17f1f3acd4f4d5b891524a5f8b52298b30d5fe2d8bc4dfcddcc7267c27c0aae4e31

Download Submit
C:\Windows\System\bUPrxda.exe

Filesize
5.9MB

MD5
2a80e50c84a384452dc644c896844212

SHA1
fc5115b375ecabb2816c3a936a57ea02d9bcff8f

SHA256
caa1c7f733e00d88858cb3f8017b534111ad985a89e7446822f4e51946ab3c1f

SHA512
2ba36073af4464869e50809dbf54c8ea6e0e224c12d1336b0ed010fe31d23a530c32d53290ca2547315e7d72367f915c0bc81ab094b0b2bed564fc7f171ccf3d

Download Submit
C:\Windows\System\fTDtoCc.exe

Filesize
5.9MB

MD5
0978d6a556bdd772a310cc7a195293c5

SHA1
26022c1dc2133d4196bb23210bd040ac4b7d8c20

SHA256
c7ffa6e7ba355683bd0ec04ee20fefd4ca3f72e71a64c3ce13beeddc65257226

SHA512
0771aa7b957c35c9ad926caf2fbbed77fea868f7064438da11b18389e76cb897c22c4ae7fe4482a2aca92a73a155ca5a7420e68ad90511cfcf8aabcde3742e3f

Download Submit
C:\Windows\System\fmrzcNc.exe

Filesize
5.9MB

MD5
b642787c6e48c36169b384eb93c5ed93

SHA1
098e96230f1f330af98a35518ec589589933c177

SHA256
95e8a761884b63382c9281bbb8b41a451f57556bf5eba0ee7624162bdad702f5

SHA512
6723a88e843aece5b95656a4497d9d7f9a857501ef93e466a9b8cb50ae9c801ebbb04347b02f8ed1923d53dbfed17f615f147203d135bb83337cd8dbefd9097c

Download Submit
C:\Windows\System\jHuSMRR.exe

Filesize
5.9MB

MD5
9ab32ab057d75e0018ab762a649033eb

SHA1
21bcefd953e33f24a0355e3b5ce6d9c50154866c

SHA256
28e024147809bb6c6b43a5e71a186cf62f40c6841ce8fbc26168183112bfd6c1

SHA512
944443e86067d6bb77ea8e787a52cb8ee5d39e202644eac13dc1ba9e6620ab6cbc578118c9936c5b9388b3c52c322312938352082645e37592128388e5cbdf7f

Download Submit
C:\Windows\System\kgTVGoO.exe

Filesize
5.9MB

MD5
abaeaeef30246fa8bf037cd2e5215e4a

SHA1
66df6ab12da7a3773ba878229fb8f9024fdb8dd5

SHA256
7598d5712b3613ecb76ad47da11415a07601a7d793adb245d20a04e2646caa04

SHA512
edc59a0cbf70b999e4e3872b13c3541afd20c38c3a2e8d6ff31d4894c43048078ae68503e4e69db57dcb65c5b38435c41943d3da1043b4b44c970bd125fdc1dc

Download Submit
C:\Windows\System\lSZgdKH.exe

Filesize
5.9MB

MD5
568f74b5e186d1462418057f5ae2a2e2

SHA1
e6c63b2c57c9716d736fa9e244606da79cce4485

SHA256
7f94b4516c4e2df5cb5f212356b5e4972e551e9eb3d46185a62a60d1520f9315

SHA512
63649c6fae87dc964741d356ce217327f39a780dc2f8053a906327b61061d176d6f52af2d1ef432a80518b4fadd4e5cd1518419ff63eb0656169cfdaab4f1456

Download Submit
C:\Windows\System\pMapoWR.exe

Filesize
5.9MB

MD5
e2cd30d61fb72ed4b9d8ccc5b18fc6c9

SHA1
3be5a734e122d3e82ae9809798e7e517546cece3

SHA256
9a797f10007701c4b706afee1a85e86473bca5fe676f5b56c7f8554343de5d13

SHA512
eac486046afd77d673059e808b56d382ca863b8710dcd761ef48b2b3518da0d8573ae87e6ca8b70cb5fe2d89feb798f5d35d2b6a5e9567f270c728c147a6a113

Download Submit
C:\Windows\System\pUdOccS.exe

Filesize
5.9MB

MD5
3dc4f3ace05abe2efab109817bedbe83

SHA1
7b0637b1d431ae6a8e712b5325bec1bda0d70326

SHA256
b70a6325c59cb530ed71aa30deb1dfb0f21d0439d84c15d13286745ab66f6d8e

SHA512
57c6e32625d4a81aa09799f54d0fad014c2fa2f90fc47d50c6a037472019ca0af16bef0af309367a4efab327196e9a3084012776c9daeb17dd0432df1908714b

Download Submit
C:\Windows\System\vZrzMAs.exe

Filesize
5.9MB

MD5
af6eb33640b06cc396fc0c7eea5a1709

SHA1
a75f54b1120a6409b5a2214891591d226b5667b1

SHA256
f6b36b3ae1b9f4219eb988121a3c6acb3aed3f00e98a0ea1f76cbdf5f1f06a2f

SHA512
91a74f8857b6bde83765e240dc5dcf7621bfd6242519d36fddab0d474a0e35f46460cae1cb3c8776d838e498e561b512ace93b2fd54432a81e6c29fc8a240f14

Download Submit
C:\Windows\System\zKHCZkm.exe

Filesize
5.9MB

MD5
5dcda3112231f48dcfd8df895f786ff1

SHA1
f1b6a400c10b85367ca97cee4cfac7f08c490633

SHA256
99a1d7a23bc1dccf0d37ff8ce38970903b5dfe77e4009bebb1305450f580c036

SHA512
4d519ef36ee548b41e6f881c085d64423d099fedb2ec6a8e3741d197511afcddb35772ccb8de223ee8fd5d96879424455b14b4b698093262180f48fe3028f421

Download Submit
C:\Windows\System\zSACdna.exe

Filesize
5.9MB

MD5
747af65096b44562161f49a1a215b644

SHA1
bf12107406f359cd34ed5c8b4930d2d1a7da729e

SHA256
06cc44e5c8e7baf2f4fe10a80a72f995decb9527110d03875ea0e2858a59988a

SHA512
760dc5475d922de4706be5e44aadc4e72773b6686e3b129c6470aae2ce706dfc545dfd246f3eaf99879c5018800d8eba0f8b92bfdd8079f20d13a857b0f122f1

Download Submit
memory/60-41-0x00007FF613290000-0x00007FF6135E4000-memory.dmp

Filesize
3.3MB

Download
memory/60-146-0x00007FF613290000-0x00007FF6135E4000-memory.dmp

Filesize
3.3MB

Download
memory/60-132-0x00007FF613290000-0x00007FF6135E4000-memory.dmp

Filesize
3.3MB

Download
memory/928-57-0x00007FF766D60000-0x00007FF7670B4000-memory.dmp

Filesize
3.3MB

Download
memory/928-148-0x00007FF766D60000-0x00007FF7670B4000-memory.dmp

Filesize
3.3MB

Download
memory/928-131-0x00007FF766D60000-0x00007FF7670B4000-memory.dmp

Filesize
3.3MB

Download
memory/1112-103-0x00007FF7FD580000-0x00007FF7FD8D4000-memory.dmp

Filesize
3.3MB

Download
memory/1112-154-0x00007FF7FD580000-0x00007FF7FD8D4000-memory.dmp

Filesize
3.3MB

Download
memory/1764-157-0x00007FF719E40000-0x00007FF71A194000-memory.dmp

Filesize
3.3MB

Download
memory/1764-126-0x00007FF719E40000-0x00007FF71A194000-memory.dmp

Filesize
3.3MB

Download
memory/1860-144-0x00007FF63A130000-0x00007FF63A484000-memory.dmp

Filesize
3.3MB

Download
memory/1860-63-0x00007FF63A130000-0x00007FF63A484000-memory.dmp

Filesize
3.3MB

Download
memory/2360-140-0x00007FF71D820000-0x00007FF71DB74000-memory.dmp

Filesize
3.3MB

Download
memory/2360-12-0x00007FF71D820000-0x00007FF71DB74000-memory.dmp

Filesize
3.3MB

Download
memory/2360-128-0x00007FF71D820000-0x00007FF71DB74000-memory.dmp

Filesize
3.3MB

Download
memory/2416-34-0x00007FF78F7A0000-0x00007FF78FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2416-143-0x00007FF78F7A0000-0x00007FF78FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/3204-125-0x00007FF7136F0000-0x00007FF713A44000-memory.dmp

Filesize
3.3MB

Download
memory/3204-156-0x00007FF7136F0000-0x00007FF713A44000-memory.dmp

Filesize
3.3MB

Download
memory/3392-74-0x00007FF79FDD0000-0x00007FF7A0124000-memory.dmp

Filesize
3.3MB

Download
memory/3392-136-0x00007FF79FDD0000-0x00007FF7A0124000-memory.dmp

Filesize
3.3MB

Download
memory/3392-149-0x00007FF79FDD0000-0x00007FF7A0124000-memory.dmp

Filesize
3.3MB

Download
memory/3400-127-0x00007FF6D4E70000-0x00007FF6D51C4000-memory.dmp

Filesize
3.3MB

Download
memory/3400-159-0x00007FF6D4E70000-0x00007FF6D51C4000-memory.dmp

Filesize
3.3MB

Download
memory/3536-147-0x00007FF657CD0000-0x00007FF658024000-memory.dmp

Filesize
3.3MB

Download
memory/3536-64-0x00007FF657CD0000-0x00007FF658024000-memory.dmp

Filesize
3.3MB

Download
memory/3536-134-0x00007FF657CD0000-0x00007FF658024000-memory.dmp

Filesize
3.3MB

Download
memory/3612-145-0x00007FF704500000-0x00007FF704854000-memory.dmp

Filesize
3.3MB

Download
memory/3612-50-0x00007FF704500000-0x00007FF704854000-memory.dmp

Filesize
3.3MB

Download
memory/3612-133-0x00007FF704500000-0x00007FF704854000-memory.dmp

Filesize
3.3MB

Download
memory/3728-142-0x00007FF648CB0000-0x00007FF649004000-memory.dmp

Filesize
3.3MB

Download
memory/3728-24-0x00007FF648CB0000-0x00007FF649004000-memory.dmp

Filesize
3.3MB

Download
memory/3728-130-0x00007FF648CB0000-0x00007FF649004000-memory.dmp

Filesize
3.3MB

Download
memory/3828-79-0x00007FF760B00000-0x00007FF760E54000-memory.dmp

Filesize
3.3MB

Download
memory/3828-137-0x00007FF760B00000-0x00007FF760E54000-memory.dmp

Filesize
3.3MB

Download
memory/3828-150-0x00007FF760B00000-0x00007FF760E54000-memory.dmp

Filesize
3.3MB

Download
memory/4056-71-0x00007FF6387F0000-0x00007FF638B44000-memory.dmp

Filesize
3.3MB

Download
memory/4056-135-0x00007FF6387F0000-0x00007FF638B44000-memory.dmp

Filesize
3.3MB

Download
memory/4056-151-0x00007FF6387F0000-0x00007FF638B44000-memory.dmp

Filesize
3.3MB

Download
memory/4308-1-0x000001C6A2110000-0x000001C6A2120000-memory.dmp

Filesize
64KB

Download
memory/4308-95-0x00007FF7D41B0000-0x00007FF7D4504000-memory.dmp

Filesize
3.3MB

Download
memory/4308-0-0x00007FF7D41B0000-0x00007FF7D4504000-memory.dmp

Filesize
3.3MB

Download
memory/4420-129-0x00007FF77E840000-0x00007FF77EB94000-memory.dmp

Filesize
3.3MB

Download
memory/4420-158-0x00007FF77E840000-0x00007FF77EB94000-memory.dmp

Filesize
3.3MB

Download
memory/4568-152-0x00007FF6FA3D0000-0x00007FF6FA724000-memory.dmp

Filesize
3.3MB

Download
memory/4568-87-0x00007FF6FA3D0000-0x00007FF6FA724000-memory.dmp

Filesize
3.3MB

Download
memory/4568-138-0x00007FF6FA3D0000-0x00007FF6FA724000-memory.dmp

Filesize
3.3MB

Download
memory/4596-139-0x00007FF6B0BE0000-0x00007FF6B0F34000-memory.dmp

Filesize
3.3MB

Download
memory/4596-11-0x00007FF6B0BE0000-0x00007FF6B0F34000-memory.dmp

Filesize
3.3MB

Download
memory/4860-153-0x00007FF6B60D0000-0x00007FF6B6424000-memory.dmp

Filesize
3.3MB

Download
memory/4860-98-0x00007FF6B60D0000-0x00007FF6B6424000-memory.dmp

Filesize
3.3MB

Download
memory/5004-155-0x00007FF610740000-0x00007FF610A94000-memory.dmp

Filesize
3.3MB

Download
memory/5004-113-0x00007FF610740000-0x00007FF610A94000-memory.dmp

Filesize
3.3MB

Download
memory/5032-141-0x00007FF7F50B0000-0x00007FF7F5404000-memory.dmp

Filesize
3.3MB

Download
memory/5032-20-0x00007FF7F50B0000-0x00007FF7F5404000-memory.dmp

Filesize
3.3MB

Download