cobaltstrike | dba9d743d7a323673eb6d71e80ffdf19e117f8e1decb3b5bd6469004b0c6b731

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

10db1a2ff1aebf81b9b094e671f01a4c
SHA1

15984de7d4c800d6c3cf564bab9c0bdefec96840
SHA256

dba9d743d7a323673eb6d71e80ffdf19e117f8e1decb3b5bd6469004b0c6b731
SHA512

e810e5c81bfeb2aad0ed3b5ba52b52bcd5e96e9f6068d8e3fe747993af6604c56ab753ea90e1791e651f7f1f7d527f7e57b5eae19492fea0af7f754d54c9d294
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lU9:Q+u56utgpPF8u/79

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023420-6.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023426-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023428-23.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023424-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023429-35.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342a-42.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342b-46.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342c-53.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342d-59.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342e-66.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002342f-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023430-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023431-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023432-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023433-100.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023434-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023435-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023436-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023439-125.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002343a-131.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023420-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023426-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023427-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023428-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023424-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023429-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342a-42.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342b-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342c-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342d-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342e-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002342f-71.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023430-77.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023431-87.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023432-93.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023433-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023434-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023435-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023436-119.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023439-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002343a-131.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4576-0-0x00007FF6C59D0000-0x00007FF6C5D24000-memory.dmp	UPX
behavioral2/files/0x0008000000023420-6.dat	UPX
behavioral2/files/0x0008000000023426-10.dat	UPX
behavioral2/files/0x0007000000023427-11.dat	UPX
behavioral2/memory/1112-14-0x00007FF7BF4A0000-0x00007FF7BF7F4000-memory.dmp	UPX
behavioral2/memory/1548-8-0x00007FF7377A0000-0x00007FF737AF4000-memory.dmp	UPX
behavioral2/memory/4208-20-0x00007FF683640000-0x00007FF683994000-memory.dmp	UPX
behavioral2/files/0x0007000000023428-23.dat	UPX
behavioral2/memory/2952-25-0x00007FF7A0F10000-0x00007FF7A1264000-memory.dmp	UPX
behavioral2/files/0x0008000000023424-28.dat	UPX
behavioral2/memory/4484-32-0x00007FF69B060000-0x00007FF69B3B4000-memory.dmp	UPX
behavioral2/files/0x0007000000023429-35.dat	UPX
behavioral2/memory/4636-38-0x00007FF6E0400000-0x00007FF6E0754000-memory.dmp	UPX
behavioral2/files/0x000700000002342a-42.dat	UPX
behavioral2/memory/5212-44-0x00007FF693580000-0x00007FF6938D4000-memory.dmp	UPX
behavioral2/files/0x000700000002342b-46.dat	UPX
behavioral2/files/0x000700000002342c-53.dat	UPX
behavioral2/memory/5852-56-0x00007FF792510000-0x00007FF792864000-memory.dmp	UPX
behavioral2/memory/5572-50-0x00007FF7F17E0000-0x00007FF7F1B34000-memory.dmp	UPX
behavioral2/files/0x000700000002342d-59.dat	UPX
behavioral2/memory/4576-62-0x00007FF6C59D0000-0x00007FF6C5D24000-memory.dmp	UPX
behavioral2/files/0x000700000002342e-66.dat	UPX
behavioral2/memory/4468-65-0x00007FF77B8C0000-0x00007FF77BC14000-memory.dmp	UPX
behavioral2/files/0x000700000002342f-71.dat	UPX
behavioral2/memory/1112-75-0x00007FF7BF4A0000-0x00007FF7BF7F4000-memory.dmp	UPX
behavioral2/memory/3936-81-0x00007FF75DAA0000-0x00007FF75DDF4000-memory.dmp	UPX
behavioral2/memory/4208-83-0x00007FF683640000-0x00007FF683994000-memory.dmp	UPX
behavioral2/memory/3476-82-0x00007FF7EEA80000-0x00007FF7EEDD4000-memory.dmp	UPX
behavioral2/files/0x0007000000023430-77.dat	UPX
behavioral2/memory/4204-72-0x00007FF7C3420000-0x00007FF7C3774000-memory.dmp	UPX
behavioral2/files/0x0007000000023431-87.dat	UPX
behavioral2/memory/2292-94-0x00007FF62F9C0000-0x00007FF62FD14000-memory.dmp	UPX
behavioral2/files/0x0007000000023432-93.dat	UPX
behavioral2/memory/3996-97-0x00007FF78A210000-0x00007FF78A564000-memory.dmp	UPX
behavioral2/files/0x0007000000023433-100.dat	UPX
behavioral2/memory/6000-103-0x00007FF675960000-0x00007FF675CB4000-memory.dmp	UPX
behavioral2/memory/4636-102-0x00007FF6E0400000-0x00007FF6E0754000-memory.dmp	UPX
behavioral2/memory/2952-89-0x00007FF7A0F10000-0x00007FF7A1264000-memory.dmp	UPX
behavioral2/files/0x0007000000023434-105.dat	UPX
behavioral2/files/0x0007000000023435-111.dat	UPX
behavioral2/memory/5196-109-0x00007FF62DA70000-0x00007FF62DDC4000-memory.dmp	UPX
behavioral2/memory/5836-116-0x00007FF7E0340000-0x00007FF7E0694000-memory.dmp	UPX
behavioral2/memory/5572-115-0x00007FF7F17E0000-0x00007FF7F1B34000-memory.dmp	UPX
behavioral2/files/0x0007000000023436-119.dat	UPX
behavioral2/memory/5876-122-0x00007FF74A820000-0x00007FF74AB74000-memory.dmp	UPX
behavioral2/files/0x0007000000023439-125.dat	UPX
behavioral2/files/0x000700000002343a-131.dat	UPX
behavioral2/memory/5684-130-0x00007FF6B15C0000-0x00007FF6B1914000-memory.dmp	UPX
behavioral2/memory/1688-133-0x00007FF604CA0000-0x00007FF604FF4000-memory.dmp	UPX
behavioral2/memory/3936-134-0x00007FF75DAA0000-0x00007FF75DDF4000-memory.dmp	UPX
behavioral2/memory/5876-135-0x00007FF74A820000-0x00007FF74AB74000-memory.dmp	UPX
behavioral2/memory/1688-136-0x00007FF604CA0000-0x00007FF604FF4000-memory.dmp	UPX
behavioral2/memory/1548-137-0x00007FF7377A0000-0x00007FF737AF4000-memory.dmp	UPX
behavioral2/memory/1112-138-0x00007FF7BF4A0000-0x00007FF7BF7F4000-memory.dmp	UPX
behavioral2/memory/4208-139-0x00007FF683640000-0x00007FF683994000-memory.dmp	UPX
behavioral2/memory/4484-140-0x00007FF69B060000-0x00007FF69B3B4000-memory.dmp	UPX
behavioral2/memory/2952-141-0x00007FF7A0F10000-0x00007FF7A1264000-memory.dmp	UPX
behavioral2/memory/4636-142-0x00007FF6E0400000-0x00007FF6E0754000-memory.dmp	UPX
behavioral2/memory/5212-143-0x00007FF693580000-0x00007FF6938D4000-memory.dmp	UPX
behavioral2/memory/5572-144-0x00007FF7F17E0000-0x00007FF7F1B34000-memory.dmp	UPX
behavioral2/memory/5852-145-0x00007FF792510000-0x00007FF792864000-memory.dmp	UPX
behavioral2/memory/4468-146-0x00007FF77B8C0000-0x00007FF77BC14000-memory.dmp	UPX
behavioral2/memory/4204-147-0x00007FF7C3420000-0x00007FF7C3774000-memory.dmp	UPX
behavioral2/memory/3936-148-0x00007FF75DAA0000-0x00007FF75DDF4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4576-0-0x00007FF6C59D0000-0x00007FF6C5D24000-memory.dmp	xmrig
behavioral2/files/0x0008000000023420-6.dat	xmrig
behavioral2/files/0x0008000000023426-10.dat	xmrig
behavioral2/files/0x0007000000023427-11.dat	xmrig
behavioral2/memory/1112-14-0x00007FF7BF4A0000-0x00007FF7BF7F4000-memory.dmp	xmrig
behavioral2/memory/1548-8-0x00007FF7377A0000-0x00007FF737AF4000-memory.dmp	xmrig
behavioral2/memory/4208-20-0x00007FF683640000-0x00007FF683994000-memory.dmp	xmrig
behavioral2/files/0x0007000000023428-23.dat	xmrig
behavioral2/memory/2952-25-0x00007FF7A0F10000-0x00007FF7A1264000-memory.dmp	xmrig
behavioral2/files/0x0008000000023424-28.dat	xmrig
behavioral2/memory/4484-32-0x00007FF69B060000-0x00007FF69B3B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023429-35.dat	xmrig
behavioral2/memory/4636-38-0x00007FF6E0400000-0x00007FF6E0754000-memory.dmp	xmrig
behavioral2/files/0x000700000002342a-42.dat	xmrig
behavioral2/memory/5212-44-0x00007FF693580000-0x00007FF6938D4000-memory.dmp	xmrig
behavioral2/files/0x000700000002342b-46.dat	xmrig
behavioral2/files/0x000700000002342c-53.dat	xmrig
behavioral2/memory/5852-56-0x00007FF792510000-0x00007FF792864000-memory.dmp	xmrig
behavioral2/memory/5572-50-0x00007FF7F17E0000-0x00007FF7F1B34000-memory.dmp	xmrig
behavioral2/files/0x000700000002342d-59.dat	xmrig
behavioral2/memory/4576-62-0x00007FF6C59D0000-0x00007FF6C5D24000-memory.dmp	xmrig
behavioral2/files/0x000700000002342e-66.dat	xmrig
behavioral2/memory/4468-65-0x00007FF77B8C0000-0x00007FF77BC14000-memory.dmp	xmrig
behavioral2/files/0x000700000002342f-71.dat	xmrig
behavioral2/memory/1112-75-0x00007FF7BF4A0000-0x00007FF7BF7F4000-memory.dmp	xmrig
behavioral2/memory/3936-81-0x00007FF75DAA0000-0x00007FF75DDF4000-memory.dmp	xmrig
behavioral2/memory/4208-83-0x00007FF683640000-0x00007FF683994000-memory.dmp	xmrig
behavioral2/memory/3476-82-0x00007FF7EEA80000-0x00007FF7EEDD4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023430-77.dat	xmrig
behavioral2/memory/4204-72-0x00007FF7C3420000-0x00007FF7C3774000-memory.dmp	xmrig
behavioral2/files/0x0007000000023431-87.dat	xmrig
behavioral2/memory/2292-94-0x00007FF62F9C0000-0x00007FF62FD14000-memory.dmp	xmrig
behavioral2/files/0x0007000000023432-93.dat	xmrig
behavioral2/memory/3996-97-0x00007FF78A210000-0x00007FF78A564000-memory.dmp	xmrig
behavioral2/files/0x0007000000023433-100.dat	xmrig
behavioral2/memory/6000-103-0x00007FF675960000-0x00007FF675CB4000-memory.dmp	xmrig
behavioral2/memory/4636-102-0x00007FF6E0400000-0x00007FF6E0754000-memory.dmp	xmrig
behavioral2/memory/2952-89-0x00007FF7A0F10000-0x00007FF7A1264000-memory.dmp	xmrig
behavioral2/files/0x0007000000023434-105.dat	xmrig
behavioral2/files/0x0007000000023435-111.dat	xmrig
behavioral2/memory/5196-109-0x00007FF62DA70000-0x00007FF62DDC4000-memory.dmp	xmrig
behavioral2/memory/5836-116-0x00007FF7E0340000-0x00007FF7E0694000-memory.dmp	xmrig
behavioral2/memory/5572-115-0x00007FF7F17E0000-0x00007FF7F1B34000-memory.dmp	xmrig
behavioral2/files/0x0007000000023436-119.dat	xmrig
behavioral2/memory/5876-122-0x00007FF74A820000-0x00007FF74AB74000-memory.dmp	xmrig
behavioral2/files/0x0007000000023439-125.dat	xmrig
behavioral2/files/0x000700000002343a-131.dat	xmrig
behavioral2/memory/5684-130-0x00007FF6B15C0000-0x00007FF6B1914000-memory.dmp	xmrig
behavioral2/memory/1688-133-0x00007FF604CA0000-0x00007FF604FF4000-memory.dmp	xmrig
behavioral2/memory/3936-134-0x00007FF75DAA0000-0x00007FF75DDF4000-memory.dmp	xmrig
behavioral2/memory/5876-135-0x00007FF74A820000-0x00007FF74AB74000-memory.dmp	xmrig
behavioral2/memory/1688-136-0x00007FF604CA0000-0x00007FF604FF4000-memory.dmp	xmrig
behavioral2/memory/1548-137-0x00007FF7377A0000-0x00007FF737AF4000-memory.dmp	xmrig
behavioral2/memory/1112-138-0x00007FF7BF4A0000-0x00007FF7BF7F4000-memory.dmp	xmrig
behavioral2/memory/4208-139-0x00007FF683640000-0x00007FF683994000-memory.dmp	xmrig
behavioral2/memory/4484-140-0x00007FF69B060000-0x00007FF69B3B4000-memory.dmp	xmrig
behavioral2/memory/2952-141-0x00007FF7A0F10000-0x00007FF7A1264000-memory.dmp	xmrig
behavioral2/memory/4636-142-0x00007FF6E0400000-0x00007FF6E0754000-memory.dmp	xmrig
behavioral2/memory/5212-143-0x00007FF693580000-0x00007FF6938D4000-memory.dmp	xmrig
behavioral2/memory/5572-144-0x00007FF7F17E0000-0x00007FF7F1B34000-memory.dmp	xmrig
behavioral2/memory/5852-145-0x00007FF792510000-0x00007FF792864000-memory.dmp	xmrig
behavioral2/memory/4468-146-0x00007FF77B8C0000-0x00007FF77BC14000-memory.dmp	xmrig
behavioral2/memory/4204-147-0x00007FF7C3420000-0x00007FF7C3774000-memory.dmp	xmrig
behavioral2/memory/3936-148-0x00007FF75DAA0000-0x00007FF75DDF4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1548	aNRCtYl.exe
1112	FuKCUEY.exe
4208	qTzbEzQ.exe
2952	zcglQGW.exe
4484	Zxagtly.exe
4636	lZlLRNN.exe
5212	UGYGikh.exe
5572	XnNtVIm.exe
5852	YcTTDpJ.exe
4468	eqqklMR.exe
4204	nKTGPoK.exe
3936	ifZQKwo.exe
3476	fQYVtCb.exe
2292	rTYfwHC.exe
3996	NHzLvUR.exe
6000	vVFUsBY.exe
5196	ETNXJZZ.exe
5836	MxNnyBf.exe
5876	euJDZfe.exe
5684	CzOSwkG.exe
1688	ikhurhF.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4576-0-0x00007FF6C59D0000-0x00007FF6C5D24000-memory.dmp	upx
behavioral2/files/0x0008000000023420-6.dat	upx
behavioral2/files/0x0008000000023426-10.dat	upx
behavioral2/files/0x0007000000023427-11.dat	upx
behavioral2/memory/1112-14-0x00007FF7BF4A0000-0x00007FF7BF7F4000-memory.dmp	upx
behavioral2/memory/1548-8-0x00007FF7377A0000-0x00007FF737AF4000-memory.dmp	upx
behavioral2/memory/4208-20-0x00007FF683640000-0x00007FF683994000-memory.dmp	upx
behavioral2/files/0x0007000000023428-23.dat	upx
behavioral2/memory/2952-25-0x00007FF7A0F10000-0x00007FF7A1264000-memory.dmp	upx
behavioral2/files/0x0008000000023424-28.dat	upx
behavioral2/memory/4484-32-0x00007FF69B060000-0x00007FF69B3B4000-memory.dmp	upx
behavioral2/files/0x0007000000023429-35.dat	upx
behavioral2/memory/4636-38-0x00007FF6E0400000-0x00007FF6E0754000-memory.dmp	upx
behavioral2/files/0x000700000002342a-42.dat	upx
behavioral2/memory/5212-44-0x00007FF693580000-0x00007FF6938D4000-memory.dmp	upx
behavioral2/files/0x000700000002342b-46.dat	upx
behavioral2/files/0x000700000002342c-53.dat	upx
behavioral2/memory/5852-56-0x00007FF792510000-0x00007FF792864000-memory.dmp	upx
behavioral2/memory/5572-50-0x00007FF7F17E0000-0x00007FF7F1B34000-memory.dmp	upx
behavioral2/files/0x000700000002342d-59.dat	upx
behavioral2/memory/4576-62-0x00007FF6C59D0000-0x00007FF6C5D24000-memory.dmp	upx
behavioral2/files/0x000700000002342e-66.dat	upx
behavioral2/memory/4468-65-0x00007FF77B8C0000-0x00007FF77BC14000-memory.dmp	upx
behavioral2/files/0x000700000002342f-71.dat	upx
behavioral2/memory/1112-75-0x00007FF7BF4A0000-0x00007FF7BF7F4000-memory.dmp	upx
behavioral2/memory/3936-81-0x00007FF75DAA0000-0x00007FF75DDF4000-memory.dmp	upx
behavioral2/memory/4208-83-0x00007FF683640000-0x00007FF683994000-memory.dmp	upx
behavioral2/memory/3476-82-0x00007FF7EEA80000-0x00007FF7EEDD4000-memory.dmp	upx
behavioral2/files/0x0007000000023430-77.dat	upx
behavioral2/memory/4204-72-0x00007FF7C3420000-0x00007FF7C3774000-memory.dmp	upx
behavioral2/files/0x0007000000023431-87.dat	upx
behavioral2/memory/2292-94-0x00007FF62F9C0000-0x00007FF62FD14000-memory.dmp	upx
behavioral2/files/0x0007000000023432-93.dat	upx
behavioral2/memory/3996-97-0x00007FF78A210000-0x00007FF78A564000-memory.dmp	upx
behavioral2/files/0x0007000000023433-100.dat	upx
behavioral2/memory/6000-103-0x00007FF675960000-0x00007FF675CB4000-memory.dmp	upx
behavioral2/memory/4636-102-0x00007FF6E0400000-0x00007FF6E0754000-memory.dmp	upx
behavioral2/memory/2952-89-0x00007FF7A0F10000-0x00007FF7A1264000-memory.dmp	upx
behavioral2/files/0x0007000000023434-105.dat	upx
behavioral2/files/0x0007000000023435-111.dat	upx
behavioral2/memory/5196-109-0x00007FF62DA70000-0x00007FF62DDC4000-memory.dmp	upx
behavioral2/memory/5836-116-0x00007FF7E0340000-0x00007FF7E0694000-memory.dmp	upx
behavioral2/memory/5572-115-0x00007FF7F17E0000-0x00007FF7F1B34000-memory.dmp	upx
behavioral2/files/0x0007000000023436-119.dat	upx
behavioral2/memory/5876-122-0x00007FF74A820000-0x00007FF74AB74000-memory.dmp	upx
behavioral2/files/0x0007000000023439-125.dat	upx
behavioral2/files/0x000700000002343a-131.dat	upx
behavioral2/memory/5684-130-0x00007FF6B15C0000-0x00007FF6B1914000-memory.dmp	upx
behavioral2/memory/1688-133-0x00007FF604CA0000-0x00007FF604FF4000-memory.dmp	upx
behavioral2/memory/3936-134-0x00007FF75DAA0000-0x00007FF75DDF4000-memory.dmp	upx
behavioral2/memory/5876-135-0x00007FF74A820000-0x00007FF74AB74000-memory.dmp	upx
behavioral2/memory/1688-136-0x00007FF604CA0000-0x00007FF604FF4000-memory.dmp	upx
behavioral2/memory/1548-137-0x00007FF7377A0000-0x00007FF737AF4000-memory.dmp	upx
behavioral2/memory/1112-138-0x00007FF7BF4A0000-0x00007FF7BF7F4000-memory.dmp	upx
behavioral2/memory/4208-139-0x00007FF683640000-0x00007FF683994000-memory.dmp	upx
behavioral2/memory/4484-140-0x00007FF69B060000-0x00007FF69B3B4000-memory.dmp	upx
behavioral2/memory/2952-141-0x00007FF7A0F10000-0x00007FF7A1264000-memory.dmp	upx
behavioral2/memory/4636-142-0x00007FF6E0400000-0x00007FF6E0754000-memory.dmp	upx
behavioral2/memory/5212-143-0x00007FF693580000-0x00007FF6938D4000-memory.dmp	upx
behavioral2/memory/5572-144-0x00007FF7F17E0000-0x00007FF7F1B34000-memory.dmp	upx
behavioral2/memory/5852-145-0x00007FF792510000-0x00007FF792864000-memory.dmp	upx
behavioral2/memory/4468-146-0x00007FF77B8C0000-0x00007FF77BC14000-memory.dmp	upx
behavioral2/memory/4204-147-0x00007FF7C3420000-0x00007FF7C3774000-memory.dmp	upx
behavioral2/memory/3936-148-0x00007FF75DAA0000-0x00007FF75DDF4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\aNRCtYl.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lZlLRNN.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nKTGPoK.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fQYVtCb.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rTYfwHC.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vVFUsBY.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ifZQKwo.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FuKCUEY.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qTzbEzQ.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Zxagtly.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UGYGikh.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XnNtVIm.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eqqklMR.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NHzLvUR.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CzOSwkG.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zcglQGW.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YcTTDpJ.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ETNXJZZ.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MxNnyBf.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\euJDZfe.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ikhurhF.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 1548	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	82
PID 4576 wrote to memory of 1548	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	82
PID 4576 wrote to memory of 1112	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	83
PID 4576 wrote to memory of 1112	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	83
PID 4576 wrote to memory of 4208	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	84
PID 4576 wrote to memory of 4208	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	84
PID 4576 wrote to memory of 2952	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	85
PID 4576 wrote to memory of 2952	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	85
PID 4576 wrote to memory of 4484	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	86
PID 4576 wrote to memory of 4484	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	86
PID 4576 wrote to memory of 4636	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	88
PID 4576 wrote to memory of 4636	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	88
PID 4576 wrote to memory of 5212	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	90
PID 4576 wrote to memory of 5212	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	90
PID 4576 wrote to memory of 5572	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	91
PID 4576 wrote to memory of 5572	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	91
PID 4576 wrote to memory of 5852	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	92
PID 4576 wrote to memory of 5852	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	92
PID 4576 wrote to memory of 4468	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	93
PID 4576 wrote to memory of 4468	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	93
PID 4576 wrote to memory of 4204	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	95
PID 4576 wrote to memory of 4204	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	95
PID 4576 wrote to memory of 3936	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	96
PID 4576 wrote to memory of 3936	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	96
PID 4576 wrote to memory of 3476	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	97
PID 4576 wrote to memory of 3476	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	97
PID 4576 wrote to memory of 2292	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	98
PID 4576 wrote to memory of 2292	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	98
PID 4576 wrote to memory of 3996	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	99
PID 4576 wrote to memory of 3996	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	99
PID 4576 wrote to memory of 6000	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	100
PID 4576 wrote to memory of 6000	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	100
PID 4576 wrote to memory of 5196	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	101
PID 4576 wrote to memory of 5196	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	101
PID 4576 wrote to memory of 5836	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	102
PID 4576 wrote to memory of 5836	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	102
PID 4576 wrote to memory of 5876	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	103
PID 4576 wrote to memory of 5876	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	103
PID 4576 wrote to memory of 5684	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	104
PID 4576 wrote to memory of 5684	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	104
PID 4576 wrote to memory of 1688	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	105
PID 4576 wrote to memory of 1688	4576	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\System\aNRCtYl.exe
  C:\Windows\System\aNRCtYl.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\FuKCUEY.exe
  C:\Windows\System\FuKCUEY.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System\qTzbEzQ.exe
  C:\Windows\System\qTzbEzQ.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Windows\System\zcglQGW.exe
  C:\Windows\System\zcglQGW.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\Zxagtly.exe
  C:\Windows\System\Zxagtly.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\lZlLRNN.exe
  C:\Windows\System\lZlLRNN.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\UGYGikh.exe
  C:\Windows\System\UGYGikh.exe
  2⤵
  - Executes dropped EXE
  PID:5212
- C:\Windows\System\XnNtVIm.exe
  C:\Windows\System\XnNtVIm.exe
  2⤵
  - Executes dropped EXE
  PID:5572
- C:\Windows\System\YcTTDpJ.exe
  C:\Windows\System\YcTTDpJ.exe
  2⤵
  - Executes dropped EXE
  PID:5852
- C:\Windows\System\eqqklMR.exe
  C:\Windows\System\eqqklMR.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\nKTGPoK.exe
  C:\Windows\System\nKTGPoK.exe
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Windows\System\ifZQKwo.exe
  C:\Windows\System\ifZQKwo.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System\fQYVtCb.exe
  C:\Windows\System\fQYVtCb.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System\rTYfwHC.exe
  C:\Windows\System\rTYfwHC.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\NHzLvUR.exe
  C:\Windows\System\NHzLvUR.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\vVFUsBY.exe
  C:\Windows\System\vVFUsBY.exe
  2⤵
  - Executes dropped EXE
  PID:6000
- C:\Windows\System\ETNXJZZ.exe
  C:\Windows\System\ETNXJZZ.exe
  2⤵
  - Executes dropped EXE
  PID:5196
- C:\Windows\System\MxNnyBf.exe
  C:\Windows\System\MxNnyBf.exe
  2⤵
  - Executes dropped EXE
  PID:5836
- C:\Windows\System\euJDZfe.exe
  C:\Windows\System\euJDZfe.exe
  2⤵
  - Executes dropped EXE
  PID:5876
- C:\Windows\System\CzOSwkG.exe
  C:\Windows\System\CzOSwkG.exe
  2⤵
  - Executes dropped EXE
  PID:5684
- C:\Windows\System\ikhurhF.exe
  C:\Windows\System\ikhurhF.exe
  2⤵
  - Executes dropped EXE
  PID:1688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CzOSwkG.exe

Filesize
5.9MB

MD5
b427678d9806bafde807311586306663

SHA1
988e22afb36370e5a345d711f9e8473df71c24da

SHA256
b33e86d1ca2a91de04b0bf11f248367972303e705f20704103e484da419e043e

SHA512
9bd54c53651e06db9fcee8b7bffca11d31e03ecc32cf21ecba931d162646852d9ebe1ae3431420f441ce60a5450ce88e055cfb86a022f15e238fbc3915027443

Download Submit
C:\Windows\System\ETNXJZZ.exe

Filesize
5.9MB

MD5
50a63bedbff296d344759acb0ff1fd94

SHA1
27f8237ac9aa0ba906b075c7994bd4cbe9887a5c

SHA256
898ff764afb7eb5f9ac37b94b16af10eb0f4cda931cc59d7056d3fdaa321158f

SHA512
b5e42d9e4d2ab57f37eb527b1e5fc3fab8e7d255626e63b9d0b7d74c6f46fd6dda330fd40e9c9cad7eae2c5e546ec907b47b513d1804b6670e9a92e2a49c61b4

Download Submit
C:\Windows\System\FuKCUEY.exe

Filesize
5.9MB

MD5
10d541cf355603b6373b489ee5ed7141

SHA1
e691818ec8ec183e195e5cf13af5fe5a403a07cf

SHA256
b2c90a0ab7dd368785eb2ecf26b9b2749d01e030a7a89c2d1e2a20543f179626

SHA512
bb00d64740a3cb6808669bfe6dd2eae33b516dd700cdfbed348fc9850ea0bc87969fe223422d547d33f525c86751b11021719677a0e3810400a61c9a97a229af

Download Submit
C:\Windows\System\MxNnyBf.exe

Filesize
5.9MB

MD5
8db398d3fcd8229fcd20af76015f96ba

SHA1
09e6026140da0e8054d3768e54290731c42c7432

SHA256
467bcb9ae5d1f64e0509620a216aae40bb7c332d7a51028ff4c8d76119e3a334

SHA512
ce1317dc93b162a46aecfc4d3730496a635c33f24fd5a1e03ba1a8c472ccdba8467d9288e8f47a6a90d8fdee05ac00de4de63a86a380c64d052cfe94b440b4e6

Download Submit
C:\Windows\System\NHzLvUR.exe

Filesize
5.9MB

MD5
62ceaeea0ac0a1b2d3f850ebf0382feb

SHA1
e3c3bf0bc5f5390ab2e3a19eb010fcc345f09354

SHA256
7c281ef8e8147e253824beb2536f9c51a95ea56a99c1a0f3db658b514e6960ae

SHA512
bac9666c1f172ab3686f9e44e72236fdca7977724c86643a31a8312ad6cf3934080831691cf78b3dbe871484f75842f792b885b0473d7ff83d021997a5ca6362

Download Submit
C:\Windows\System\UGYGikh.exe

Filesize
5.9MB

MD5
8f3dfeaef896ee7877ddd2c26a835b93

SHA1
3cc06a02f01b2504fc5e16f4426b0d7329c7cd25

SHA256
3d15500db120e130123d0a1953e02ab3eb2d04a62c11113554304db80c174230

SHA512
fd4edd8a16efe8086ede7a515dd0d689be644c253be094cb9ff6e527aba84b504f5c97c4190dc43d4b52156bf0e2fe4e261b42fd5b838a011e48abcdf2941249

Download Submit
C:\Windows\System\XnNtVIm.exe

Filesize
5.9MB

MD5
630bb9251e537284451c7abd74a14637

SHA1
49917153511ad35e01007c6a5d2493781fb04a0a

SHA256
b48dec00bab8b5d299a4fe933dec07307b9dfa4b68ae84150882a5ca087ea0bb

SHA512
8cc65c7220132faba92d207abe42c6912b6358afa229687e967d40c154a6e57e801ed4895d4599d638be7a2ddf8e4595ee9e4c99045a7ac8fa060c4526acacbf

Download Submit
C:\Windows\System\YcTTDpJ.exe

Filesize
5.9MB

MD5
6098408dc8067c23670bed9c46621038

SHA1
3ed31faf94153112e505b7272d3fb81e77b50694

SHA256
93fcd7196cef412b0ab0a94582e7c7e63041e1cd34ef758b4171e109dec800a4

SHA512
ed1e3b06d2234431c66e02adb7cc39bf1665024bae894c3abd2b8620b86ef67ee4cbb7214d6fef2159af5401e9cfbcc93f31982ea9020645034fc5b394d15c85

Download Submit
C:\Windows\System\Zxagtly.exe

Filesize
5.9MB

MD5
059d0a20893c7678f5cf08a1aff8af2f

SHA1
b9ab5ee99e979dcdeb135c1b2ef2eadbfcdea94f

SHA256
294357f9a98b59d5f119d0ce1a371ea59a688cca5480c8fc5db9123006ff30c8

SHA512
5fef1ab60b605f3e7d89f72a90c901317c0944998cb03b5f562ba59aa85dbfa1ad45aa75534bb300a47125a8d7c7ee0640adcc6ef36d63557075e83598830829

Download Submit
C:\Windows\System\aNRCtYl.exe

Filesize
5.9MB

MD5
9ca3440e7c856dba560c3be77fa9d0e6

SHA1
7d3e96d9eab8fd36851530f68a71e59e24c6bb40

SHA256
7c0bccdb1d92322e7b4b139f7c286ce75609d2cbf12deb5c6e54fad441d49e25

SHA512
8f97829e8eb471f079a26799cbb7f6c1c04649614f9a4e594c8c0aa6b47ba077908ab3bf857918fc7b8badc89872288edf8b950e0bc070164eae8bb81dcc5018

Download Submit
C:\Windows\System\eqqklMR.exe

Filesize
5.9MB

MD5
bebe74e6764ba79332c2c39c7525d370

SHA1
e3ba0162516caa7ae3c864b1c39aba2a7e4e04e5

SHA256
6712061651ff65da71f17ea075f756da9085eeffc7d9e37f18fc0da2dc23b7ad

SHA512
f2b21023f98af3518ec86af30b5ee39974118154bf4fa355cd147c874efd92d2502542b067dca5d3e3e8e7d8775ab5a29132899436367b2b833abf27fc9a1615

Download Submit
C:\Windows\System\euJDZfe.exe

Filesize
5.9MB

MD5
bb04cd127fb5db21699cc5c94b0aeb72

SHA1
ffecb471f4f335c2a0fd8710805845d0c4c559e2

SHA256
c88a039393003ef6a01e64fe2b26b407cd70ca51ae57998e1a62adbf58e4fd5b

SHA512
b8fb4558233a8c85d83b99475679097de4028977baa3e0c542b01f265552440112222aef34bcb6fd96cde22ccaf6f040f633f7834b1e76b73cf2f2c50655fa06

Download Submit
C:\Windows\System\fQYVtCb.exe

Filesize
5.9MB

MD5
d645c4c4c31f975befed9ebd9becd076

SHA1
8235082ea757bfef9602164a30d4aa8495791afe

SHA256
31c8671b2cbd59abb86788a77cc0b4ce1a6af461b7e5296cf34663e81b5e4bd9

SHA512
ba366f45e0a9eb360bbf2faf678ae8a56d2645a7bf327b2fa36ceb6714fe7311e2ca9ef437e2e9d5b5eab3592c96dde4dac4c16175cc58f56af1d9a9a612553c

Download Submit
C:\Windows\System\ifZQKwo.exe

Filesize
5.9MB

MD5
a1f6d63f9af3e660ef3b076b6dc6907a

SHA1
f3e706ac71fd514984b432e623a85702b2653714

SHA256
71498090490e7625db3fd36bb26621229fd60cf6cc7f48b7ba62e820a0163613

SHA512
dc6cbf5f2884dd58db9ad6fa3b741a81401ad83de1c442466a6d98415a1cedf03e25156e7e19deb4eaa8e0517eeb7ea4aed0814c5d205997df1c03942485c675

Download Submit
C:\Windows\System\ikhurhF.exe

Filesize
5.9MB

MD5
957295594419a52da2cc303623d223a8

SHA1
14cfaae7ea811413a8562074f4f4acb314e46a29

SHA256
e4b50e0e53a63043c5f0d6b74d0c2aba5283d3b289009122e966fe736f7d8135

SHA512
581fa7d5ab75221cb0bf223fde65888b226183f85b8f7f23b7088395c86649875d7619b5ac460054c65e33614310cd50a5ef032dac8dc8bd2cb1a860940ce48d

Download Submit
C:\Windows\System\lZlLRNN.exe

Filesize
5.9MB

MD5
fb2ff7a71e0baecb8b9e4bfee5c7c961

SHA1
6e6246ebc7423edc18d3d2713c2599490bd24406

SHA256
1538cfeb5195dab9dc9fbebb84c6dfdc60cafcdef16bd9eec2de880c88e7282f

SHA512
b5177b293549f525a67296decfc9a8c53b4a9a22c9aa96c24a534b044ce69d0ec9306dbd95bebf914bacdeea8d467b848b6b9370282d28e29e2a74d0876b91ef

Download Submit
C:\Windows\System\nKTGPoK.exe

Filesize
5.9MB

MD5
db42fbacd8bee3431dd769ce1c9f5ca0

SHA1
8d37b50eb0041652d62d2e3ad423688cd3e41656

SHA256
2054ec5c7f91977efa09105c1fb79c6954d8e2592fa2a4768d33741ad1fd6573

SHA512
88b5397aea39f969eeab4bb32f2eb614dc5568cf7b924caa9aab6e0ed1cebe6e9c9b06ae36e188295111c9de3f94f86393c46fc13ba601c53e7165c8648097ad

Download Submit
C:\Windows\System\qTzbEzQ.exe

Filesize
5.9MB

MD5
7918b26d3ee4813658c457697c41dca7

SHA1
06cb8f4a309937e4432bb2ff495faa8fb1befda4

SHA256
21f45fde25ceb8ee9cf176f62b33a8439de43a1b60bc79afc3662cdf62a5e5f1

SHA512
6622b72e4a8c8ee2e37b09b40efe7343c8da9a51d92af234df58c1e21de1b791b4f8855c168460ad74e17211f5515b4af9ffdb1e802e42adbce47e6fbbc750f5

Download Submit
C:\Windows\System\rTYfwHC.exe

Filesize
5.9MB

MD5
46417165b48e6b2e7bb6e0238e5810f3

SHA1
bba92791a4de79122b3194d0e37efc35b190173a

SHA256
291923915ac2b3a36347c66d26e02623d2ed4e92dabec302b1f6339cdf25c3f0

SHA512
c2d5a80c0ffa6f3bca4a2941edd70fc88e9fd8770287bfabe0a9a85ece424cde2d871f5c8bd3047a4c8cefd4d9c6259eed0b562f86341f3d24d3f8670e06ccc4

Download Submit
C:\Windows\System\vVFUsBY.exe

Filesize
5.9MB

MD5
06c5ab9a113028ba5d5d598b89272faf

SHA1
70c52f0c1c9d1daddfec749f000e03ac5e06858e

SHA256
dac4487481ef82e5392fcbfe8e676a0afe1b26d1f4c044ab9009581520be2349

SHA512
72af61ecdfb7eaeae1b52d28af538b7476bc708f889e0ce033eec5e2596e7e28e25f1e1c1383af8b9747915cbd39909dcd398ea475bda0b4fac4aa205fc7a0f3

Download Submit
C:\Windows\System\zcglQGW.exe

Filesize
5.9MB

MD5
ba3d534bbbe415e3dcabfe7eb7a9349d

SHA1
91d604692c4d540265e56a4d6b514f81b577f10a

SHA256
29bbc7c701680f6b85628c29953ed0d83d305629b849813fce73cca5381f9ab9

SHA512
935ec442dab68d41d0ee602804b7a9b1aebdc3ce4b87df370e938ca0bd7590c0a3d4a95444ebbf92ed6fb8af5deeab914df3f84ac5137595c3ddf2c0b8d9d9c4

Download Submit
memory/1112-75-0x00007FF7BF4A0000-0x00007FF7BF7F4000-memory.dmp

Filesize
3.3MB

Download
memory/1112-138-0x00007FF7BF4A0000-0x00007FF7BF7F4000-memory.dmp

Filesize
3.3MB

Download
memory/1112-14-0x00007FF7BF4A0000-0x00007FF7BF7F4000-memory.dmp

Filesize
3.3MB

Download
memory/1548-137-0x00007FF7377A0000-0x00007FF737AF4000-memory.dmp

Filesize
3.3MB

Download
memory/1548-8-0x00007FF7377A0000-0x00007FF737AF4000-memory.dmp

Filesize
3.3MB

Download
memory/1688-133-0x00007FF604CA0000-0x00007FF604FF4000-memory.dmp

Filesize
3.3MB

Download
memory/1688-136-0x00007FF604CA0000-0x00007FF604FF4000-memory.dmp

Filesize
3.3MB

Download
memory/1688-157-0x00007FF604CA0000-0x00007FF604FF4000-memory.dmp

Filesize
3.3MB

Download
memory/2292-150-0x00007FF62F9C0000-0x00007FF62FD14000-memory.dmp

Filesize
3.3MB

Download
memory/2292-94-0x00007FF62F9C0000-0x00007FF62FD14000-memory.dmp

Filesize
3.3MB

Download
memory/2952-141-0x00007FF7A0F10000-0x00007FF7A1264000-memory.dmp

Filesize
3.3MB

Download
memory/2952-89-0x00007FF7A0F10000-0x00007FF7A1264000-memory.dmp

Filesize
3.3MB

Download
memory/2952-25-0x00007FF7A0F10000-0x00007FF7A1264000-memory.dmp

Filesize
3.3MB

Download
memory/3476-149-0x00007FF7EEA80000-0x00007FF7EEDD4000-memory.dmp

Filesize
3.3MB

Download
memory/3476-82-0x00007FF7EEA80000-0x00007FF7EEDD4000-memory.dmp

Filesize
3.3MB

Download
memory/3936-81-0x00007FF75DAA0000-0x00007FF75DDF4000-memory.dmp

Filesize
3.3MB

Download
memory/3936-148-0x00007FF75DAA0000-0x00007FF75DDF4000-memory.dmp

Filesize
3.3MB

Download
memory/3936-134-0x00007FF75DAA0000-0x00007FF75DDF4000-memory.dmp

Filesize
3.3MB

Download
memory/3996-151-0x00007FF78A210000-0x00007FF78A564000-memory.dmp

Filesize
3.3MB

Download
memory/3996-97-0x00007FF78A210000-0x00007FF78A564000-memory.dmp

Filesize
3.3MB

Download
memory/4204-72-0x00007FF7C3420000-0x00007FF7C3774000-memory.dmp

Filesize
3.3MB

Download
memory/4204-147-0x00007FF7C3420000-0x00007FF7C3774000-memory.dmp

Filesize
3.3MB

Download
memory/4208-83-0x00007FF683640000-0x00007FF683994000-memory.dmp

Filesize
3.3MB

Download
memory/4208-20-0x00007FF683640000-0x00007FF683994000-memory.dmp

Filesize
3.3MB

Download
memory/4208-139-0x00007FF683640000-0x00007FF683994000-memory.dmp

Filesize
3.3MB

Download
memory/4468-146-0x00007FF77B8C0000-0x00007FF77BC14000-memory.dmp

Filesize
3.3MB

Download
memory/4468-65-0x00007FF77B8C0000-0x00007FF77BC14000-memory.dmp

Filesize
3.3MB

Download
memory/4484-140-0x00007FF69B060000-0x00007FF69B3B4000-memory.dmp

Filesize
3.3MB

Download
memory/4484-32-0x00007FF69B060000-0x00007FF69B3B4000-memory.dmp

Filesize
3.3MB

Download
memory/4576-0-0x00007FF6C59D0000-0x00007FF6C5D24000-memory.dmp

Filesize
3.3MB

Download
memory/4576-62-0x00007FF6C59D0000-0x00007FF6C5D24000-memory.dmp

Filesize
3.3MB

Download
memory/4576-1-0x000002137B0C0000-0x000002137B0D0000-memory.dmp

Filesize
64KB

Download
memory/4636-102-0x00007FF6E0400000-0x00007FF6E0754000-memory.dmp

Filesize
3.3MB

Download
memory/4636-142-0x00007FF6E0400000-0x00007FF6E0754000-memory.dmp

Filesize
3.3MB

Download
memory/4636-38-0x00007FF6E0400000-0x00007FF6E0754000-memory.dmp

Filesize
3.3MB

Download
memory/5196-153-0x00007FF62DA70000-0x00007FF62DDC4000-memory.dmp

Filesize
3.3MB

Download
memory/5196-109-0x00007FF62DA70000-0x00007FF62DDC4000-memory.dmp

Filesize
3.3MB

Download
memory/5212-143-0x00007FF693580000-0x00007FF6938D4000-memory.dmp

Filesize
3.3MB

Download
memory/5212-44-0x00007FF693580000-0x00007FF6938D4000-memory.dmp

Filesize
3.3MB

Download
memory/5572-50-0x00007FF7F17E0000-0x00007FF7F1B34000-memory.dmp

Filesize
3.3MB

Download
memory/5572-144-0x00007FF7F17E0000-0x00007FF7F1B34000-memory.dmp

Filesize
3.3MB

Download
memory/5572-115-0x00007FF7F17E0000-0x00007FF7F1B34000-memory.dmp

Filesize
3.3MB

Download
memory/5684-130-0x00007FF6B15C0000-0x00007FF6B1914000-memory.dmp

Filesize
3.3MB

Download
memory/5684-156-0x00007FF6B15C0000-0x00007FF6B1914000-memory.dmp

Filesize
3.3MB

Download
memory/5836-116-0x00007FF7E0340000-0x00007FF7E0694000-memory.dmp

Filesize
3.3MB

Download
memory/5836-154-0x00007FF7E0340000-0x00007FF7E0694000-memory.dmp

Filesize
3.3MB

Download
memory/5852-56-0x00007FF792510000-0x00007FF792864000-memory.dmp

Filesize
3.3MB

Download
memory/5852-145-0x00007FF792510000-0x00007FF792864000-memory.dmp

Filesize
3.3MB

Download
memory/5876-122-0x00007FF74A820000-0x00007FF74AB74000-memory.dmp

Filesize
3.3MB

Download
memory/5876-155-0x00007FF74A820000-0x00007FF74AB74000-memory.dmp

Filesize
3.3MB

Download
memory/5876-135-0x00007FF74A820000-0x00007FF74AB74000-memory.dmp

Filesize
3.3MB

Download
memory/6000-103-0x00007FF675960000-0x00007FF675CB4000-memory.dmp

Filesize
3.3MB

Download
memory/6000-152-0x00007FF675960000-0x00007FF675CB4000-memory.dmp

Filesize
3.3MB

Download