cobaltstrike | ee296b4d4c9b1033637572ee9c8a544e6e9bfeca2ef255ac180987c3efd2417e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

b16cc90b62e45626102f436e52ddd03c
SHA1

2965ede39a97f11a54260f533adccccd53b59f34
SHA256

ee296b4d4c9b1033637572ee9c8a544e6e9bfeca2ef255ac180987c3efd2417e
SHA512

64496a85ea8a4996684246df715ed3bc77604c2bac4878f066ff827b7aaf32645a91226e80f0aa091e7a9557b8d0e3040bd5e4b3aff12963a8a9f97ac70a1e32
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUU:T+856utgpPF8u/7U

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000900000002336e-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023515-10.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023514-11.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023512-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023516-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023517-36.dat	cobalt_reflective_dll
behavioral2/files/0x000c00000002344f-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023518-53.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023454-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023519-58.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351a-65.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351e-76.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351b-80.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002351f-85.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023520-92.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023522-97.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023524-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023525-110.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023529-119.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002352a-122.dat	cobalt_reflective_dll
behavioral2/files/0x001000000002344d-128.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x000900000002336e-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023515-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023514-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0009000000023512-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023516-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023517-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000c00000002344f-42.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023518-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0009000000023454-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023519-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002351a-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002351e-76.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002351b-80.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002351f-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023520-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0009000000023522-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023524-106.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023525-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023529-119.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002352a-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x001000000002344d-128.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1540-0-0x00007FF77E0C0000-0x00007FF77E414000-memory.dmp	UPX
behavioral2/files/0x000900000002336e-4.dat	UPX
behavioral2/memory/1840-9-0x00007FF7F6E00000-0x00007FF7F7154000-memory.dmp	UPX
behavioral2/files/0x0007000000023515-10.dat	UPX
behavioral2/files/0x0008000000023514-11.dat	UPX
behavioral2/memory/4524-14-0x00007FF7B5B90000-0x00007FF7B5EE4000-memory.dmp	UPX
behavioral2/memory/4516-23-0x00007FF604D50000-0x00007FF6050A4000-memory.dmp	UPX
behavioral2/files/0x0009000000023512-24.dat	UPX
behavioral2/memory/4796-26-0x00007FF695830000-0x00007FF695B84000-memory.dmp	UPX
behavioral2/files/0x0007000000023516-30.dat	UPX
behavioral2/memory/856-31-0x00007FF62B6D0000-0x00007FF62BA24000-memory.dmp	UPX
behavioral2/files/0x0007000000023517-36.dat	UPX
behavioral2/files/0x000c00000002344f-42.dat	UPX
behavioral2/memory/4172-49-0x00007FF61D550000-0x00007FF61D8A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023518-53.dat	UPX
behavioral2/memory/2032-50-0x00007FF694DA0000-0x00007FF6950F4000-memory.dmp	UPX
behavioral2/files/0x0009000000023454-47.dat	UPX
behavioral2/memory/780-39-0x00007FF7752E0000-0x00007FF775634000-memory.dmp	UPX
behavioral2/memory/3096-55-0x00007FF7D4520000-0x00007FF7D4874000-memory.dmp	UPX
behavioral2/files/0x0007000000023519-58.dat	UPX
behavioral2/files/0x000700000002351a-65.dat	UPX
behavioral2/memory/1540-62-0x00007FF77E0C0000-0x00007FF77E414000-memory.dmp	UPX
behavioral2/memory/4736-68-0x00007FF62E0F0000-0x00007FF62E444000-memory.dmp	UPX
behavioral2/files/0x000700000002351e-76.dat	UPX
behavioral2/memory/4516-74-0x00007FF604D50000-0x00007FF6050A4000-memory.dmp	UPX
behavioral2/memory/1032-77-0x00007FF67CE90000-0x00007FF67D1E4000-memory.dmp	UPX
behavioral2/files/0x000700000002351b-80.dat	UPX
behavioral2/memory/3740-79-0x00007FF6BD5D0000-0x00007FF6BD924000-memory.dmp	UPX
behavioral2/memory/4524-73-0x00007FF7B5B90000-0x00007FF7B5EE4000-memory.dmp	UPX
behavioral2/memory/2180-72-0x00007FF738CB0000-0x00007FF739004000-memory.dmp	UPX
behavioral2/files/0x000700000002351f-85.dat	UPX
behavioral2/memory/844-89-0x00007FF6D3BA0000-0x00007FF6D3EF4000-memory.dmp	UPX
behavioral2/files/0x0008000000023520-92.dat	UPX
behavioral2/memory/856-93-0x00007FF62B6D0000-0x00007FF62BA24000-memory.dmp	UPX
behavioral2/memory/5008-102-0x00007FF600B90000-0x00007FF600EE4000-memory.dmp	UPX
behavioral2/files/0x0009000000023522-97.dat	UPX
behavioral2/memory/5084-96-0x00007FF626830000-0x00007FF626B84000-memory.dmp	UPX
behavioral2/files/0x0008000000023524-106.dat	UPX
behavioral2/files/0x0007000000023525-110.dat	UPX
behavioral2/memory/2944-113-0x00007FF6C1F40000-0x00007FF6C2294000-memory.dmp	UPX
behavioral2/memory/4620-117-0x00007FF670450000-0x00007FF6707A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023529-119.dat	UPX
behavioral2/memory/3892-118-0x00007FF73D750000-0x00007FF73DAA4000-memory.dmp	UPX
behavioral2/files/0x000700000002352a-122.dat	UPX
behavioral2/files/0x001000000002344d-128.dat	UPX
behavioral2/memory/2956-124-0x00007FF6B3A80000-0x00007FF6B3DD4000-memory.dmp	UPX
behavioral2/memory/3952-131-0x00007FF74F3D0000-0x00007FF74F724000-memory.dmp	UPX
behavioral2/memory/1032-132-0x00007FF67CE90000-0x00007FF67D1E4000-memory.dmp	UPX
behavioral2/memory/3740-133-0x00007FF6BD5D0000-0x00007FF6BD924000-memory.dmp	UPX
behavioral2/memory/5084-134-0x00007FF626830000-0x00007FF626B84000-memory.dmp	UPX
behavioral2/memory/4620-135-0x00007FF670450000-0x00007FF6707A4000-memory.dmp	UPX
behavioral2/memory/3892-136-0x00007FF73D750000-0x00007FF73DAA4000-memory.dmp	UPX
behavioral2/memory/2956-137-0x00007FF6B3A80000-0x00007FF6B3DD4000-memory.dmp	UPX
behavioral2/memory/1840-138-0x00007FF7F6E00000-0x00007FF7F7154000-memory.dmp	UPX
behavioral2/memory/4524-139-0x00007FF7B5B90000-0x00007FF7B5EE4000-memory.dmp	UPX
behavioral2/memory/4516-140-0x00007FF604D50000-0x00007FF6050A4000-memory.dmp	UPX
behavioral2/memory/4796-141-0x00007FF695830000-0x00007FF695B84000-memory.dmp	UPX
behavioral2/memory/856-142-0x00007FF62B6D0000-0x00007FF62BA24000-memory.dmp	UPX
behavioral2/memory/780-143-0x00007FF7752E0000-0x00007FF775634000-memory.dmp	UPX
behavioral2/memory/4172-144-0x00007FF61D550000-0x00007FF61D8A4000-memory.dmp	UPX
behavioral2/memory/2032-145-0x00007FF694DA0000-0x00007FF6950F4000-memory.dmp	UPX
behavioral2/memory/3096-146-0x00007FF7D4520000-0x00007FF7D4874000-memory.dmp	UPX
behavioral2/memory/4736-147-0x00007FF62E0F0000-0x00007FF62E444000-memory.dmp	UPX
behavioral2/memory/2180-148-0x00007FF738CB0000-0x00007FF739004000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1540-0-0x00007FF77E0C0000-0x00007FF77E414000-memory.dmp	xmrig
behavioral2/files/0x000900000002336e-4.dat	xmrig
behavioral2/memory/1840-9-0x00007FF7F6E00000-0x00007FF7F7154000-memory.dmp	xmrig
behavioral2/files/0x0007000000023515-10.dat	xmrig
behavioral2/files/0x0008000000023514-11.dat	xmrig
behavioral2/memory/4524-14-0x00007FF7B5B90000-0x00007FF7B5EE4000-memory.dmp	xmrig
behavioral2/memory/4516-23-0x00007FF604D50000-0x00007FF6050A4000-memory.dmp	xmrig
behavioral2/files/0x0009000000023512-24.dat	xmrig
behavioral2/memory/4796-26-0x00007FF695830000-0x00007FF695B84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023516-30.dat	xmrig
behavioral2/memory/856-31-0x00007FF62B6D0000-0x00007FF62BA24000-memory.dmp	xmrig
behavioral2/files/0x0007000000023517-36.dat	xmrig
behavioral2/files/0x000c00000002344f-42.dat	xmrig
behavioral2/memory/4172-49-0x00007FF61D550000-0x00007FF61D8A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023518-53.dat	xmrig
behavioral2/memory/2032-50-0x00007FF694DA0000-0x00007FF6950F4000-memory.dmp	xmrig
behavioral2/files/0x0009000000023454-47.dat	xmrig
behavioral2/memory/780-39-0x00007FF7752E0000-0x00007FF775634000-memory.dmp	xmrig
behavioral2/memory/3096-55-0x00007FF7D4520000-0x00007FF7D4874000-memory.dmp	xmrig
behavioral2/files/0x0007000000023519-58.dat	xmrig
behavioral2/files/0x000700000002351a-65.dat	xmrig
behavioral2/memory/1540-62-0x00007FF77E0C0000-0x00007FF77E414000-memory.dmp	xmrig
behavioral2/memory/4736-68-0x00007FF62E0F0000-0x00007FF62E444000-memory.dmp	xmrig
behavioral2/files/0x000700000002351e-76.dat	xmrig
behavioral2/memory/4516-74-0x00007FF604D50000-0x00007FF6050A4000-memory.dmp	xmrig
behavioral2/memory/1032-77-0x00007FF67CE90000-0x00007FF67D1E4000-memory.dmp	xmrig
behavioral2/files/0x000700000002351b-80.dat	xmrig
behavioral2/memory/3740-79-0x00007FF6BD5D0000-0x00007FF6BD924000-memory.dmp	xmrig
behavioral2/memory/4524-73-0x00007FF7B5B90000-0x00007FF7B5EE4000-memory.dmp	xmrig
behavioral2/memory/2180-72-0x00007FF738CB0000-0x00007FF739004000-memory.dmp	xmrig
behavioral2/files/0x000700000002351f-85.dat	xmrig
behavioral2/memory/844-89-0x00007FF6D3BA0000-0x00007FF6D3EF4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023520-92.dat	xmrig
behavioral2/memory/856-93-0x00007FF62B6D0000-0x00007FF62BA24000-memory.dmp	xmrig
behavioral2/memory/5008-102-0x00007FF600B90000-0x00007FF600EE4000-memory.dmp	xmrig
behavioral2/files/0x0009000000023522-97.dat	xmrig
behavioral2/memory/5084-96-0x00007FF626830000-0x00007FF626B84000-memory.dmp	xmrig
behavioral2/files/0x0008000000023524-106.dat	xmrig
behavioral2/files/0x0007000000023525-110.dat	xmrig
behavioral2/memory/2944-113-0x00007FF6C1F40000-0x00007FF6C2294000-memory.dmp	xmrig
behavioral2/memory/4620-117-0x00007FF670450000-0x00007FF6707A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023529-119.dat	xmrig
behavioral2/memory/3892-118-0x00007FF73D750000-0x00007FF73DAA4000-memory.dmp	xmrig
behavioral2/files/0x000700000002352a-122.dat	xmrig
behavioral2/files/0x001000000002344d-128.dat	xmrig
behavioral2/memory/2956-124-0x00007FF6B3A80000-0x00007FF6B3DD4000-memory.dmp	xmrig
behavioral2/memory/3952-131-0x00007FF74F3D0000-0x00007FF74F724000-memory.dmp	xmrig
behavioral2/memory/1032-132-0x00007FF67CE90000-0x00007FF67D1E4000-memory.dmp	xmrig
behavioral2/memory/3740-133-0x00007FF6BD5D0000-0x00007FF6BD924000-memory.dmp	xmrig
behavioral2/memory/5084-134-0x00007FF626830000-0x00007FF626B84000-memory.dmp	xmrig
behavioral2/memory/4620-135-0x00007FF670450000-0x00007FF6707A4000-memory.dmp	xmrig
behavioral2/memory/3892-136-0x00007FF73D750000-0x00007FF73DAA4000-memory.dmp	xmrig
behavioral2/memory/2956-137-0x00007FF6B3A80000-0x00007FF6B3DD4000-memory.dmp	xmrig
behavioral2/memory/1840-138-0x00007FF7F6E00000-0x00007FF7F7154000-memory.dmp	xmrig
behavioral2/memory/4524-139-0x00007FF7B5B90000-0x00007FF7B5EE4000-memory.dmp	xmrig
behavioral2/memory/4516-140-0x00007FF604D50000-0x00007FF6050A4000-memory.dmp	xmrig
behavioral2/memory/4796-141-0x00007FF695830000-0x00007FF695B84000-memory.dmp	xmrig
behavioral2/memory/856-142-0x00007FF62B6D0000-0x00007FF62BA24000-memory.dmp	xmrig
behavioral2/memory/780-143-0x00007FF7752E0000-0x00007FF775634000-memory.dmp	xmrig
behavioral2/memory/4172-144-0x00007FF61D550000-0x00007FF61D8A4000-memory.dmp	xmrig
behavioral2/memory/2032-145-0x00007FF694DA0000-0x00007FF6950F4000-memory.dmp	xmrig
behavioral2/memory/3096-146-0x00007FF7D4520000-0x00007FF7D4874000-memory.dmp	xmrig
behavioral2/memory/4736-147-0x00007FF62E0F0000-0x00007FF62E444000-memory.dmp	xmrig
behavioral2/memory/2180-148-0x00007FF738CB0000-0x00007FF739004000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1840	kGiWWEJ.exe
4524	SevFTTD.exe
4516	SCHOBZG.exe
4796	deGmubT.exe
856	fqmWfii.exe
780	KBvCpQq.exe
4172	JeByuYq.exe
2032	awvGaBZ.exe
3096	CBfzTyZ.exe
4736	cTWVYYa.exe
2180	NsKRsRb.exe
1032	WwweLPa.exe
3740	yCsLybH.exe
844	aXNmeQy.exe
5084	uPczDWI.exe
5008	MoIorpN.exe
2944	advNTru.exe
4620	CrjTbOW.exe
3892	wDbMHAf.exe
2956	zIQDfJF.exe
3952	fjFqzLd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1540-0-0x00007FF77E0C0000-0x00007FF77E414000-memory.dmp	upx
behavioral2/files/0x000900000002336e-4.dat	upx
behavioral2/memory/1840-9-0x00007FF7F6E00000-0x00007FF7F7154000-memory.dmp	upx
behavioral2/files/0x0007000000023515-10.dat	upx
behavioral2/files/0x0008000000023514-11.dat	upx
behavioral2/memory/4524-14-0x00007FF7B5B90000-0x00007FF7B5EE4000-memory.dmp	upx
behavioral2/memory/4516-23-0x00007FF604D50000-0x00007FF6050A4000-memory.dmp	upx
behavioral2/files/0x0009000000023512-24.dat	upx
behavioral2/memory/4796-26-0x00007FF695830000-0x00007FF695B84000-memory.dmp	upx
behavioral2/files/0x0007000000023516-30.dat	upx
behavioral2/memory/856-31-0x00007FF62B6D0000-0x00007FF62BA24000-memory.dmp	upx
behavioral2/files/0x0007000000023517-36.dat	upx
behavioral2/files/0x000c00000002344f-42.dat	upx
behavioral2/memory/4172-49-0x00007FF61D550000-0x00007FF61D8A4000-memory.dmp	upx
behavioral2/files/0x0007000000023518-53.dat	upx
behavioral2/memory/2032-50-0x00007FF694DA0000-0x00007FF6950F4000-memory.dmp	upx
behavioral2/files/0x0009000000023454-47.dat	upx
behavioral2/memory/780-39-0x00007FF7752E0000-0x00007FF775634000-memory.dmp	upx
behavioral2/memory/3096-55-0x00007FF7D4520000-0x00007FF7D4874000-memory.dmp	upx
behavioral2/files/0x0007000000023519-58.dat	upx
behavioral2/files/0x000700000002351a-65.dat	upx
behavioral2/memory/1540-62-0x00007FF77E0C0000-0x00007FF77E414000-memory.dmp	upx
behavioral2/memory/4736-68-0x00007FF62E0F0000-0x00007FF62E444000-memory.dmp	upx
behavioral2/files/0x000700000002351e-76.dat	upx
behavioral2/memory/4516-74-0x00007FF604D50000-0x00007FF6050A4000-memory.dmp	upx
behavioral2/memory/1032-77-0x00007FF67CE90000-0x00007FF67D1E4000-memory.dmp	upx
behavioral2/files/0x000700000002351b-80.dat	upx
behavioral2/memory/3740-79-0x00007FF6BD5D0000-0x00007FF6BD924000-memory.dmp	upx
behavioral2/memory/4524-73-0x00007FF7B5B90000-0x00007FF7B5EE4000-memory.dmp	upx
behavioral2/memory/2180-72-0x00007FF738CB0000-0x00007FF739004000-memory.dmp	upx
behavioral2/files/0x000700000002351f-85.dat	upx
behavioral2/memory/844-89-0x00007FF6D3BA0000-0x00007FF6D3EF4000-memory.dmp	upx
behavioral2/files/0x0008000000023520-92.dat	upx
behavioral2/memory/856-93-0x00007FF62B6D0000-0x00007FF62BA24000-memory.dmp	upx
behavioral2/memory/5008-102-0x00007FF600B90000-0x00007FF600EE4000-memory.dmp	upx
behavioral2/files/0x0009000000023522-97.dat	upx
behavioral2/memory/5084-96-0x00007FF626830000-0x00007FF626B84000-memory.dmp	upx
behavioral2/files/0x0008000000023524-106.dat	upx
behavioral2/files/0x0007000000023525-110.dat	upx
behavioral2/memory/2944-113-0x00007FF6C1F40000-0x00007FF6C2294000-memory.dmp	upx
behavioral2/memory/4620-117-0x00007FF670450000-0x00007FF6707A4000-memory.dmp	upx
behavioral2/files/0x0007000000023529-119.dat	upx
behavioral2/memory/3892-118-0x00007FF73D750000-0x00007FF73DAA4000-memory.dmp	upx
behavioral2/files/0x000700000002352a-122.dat	upx
behavioral2/files/0x001000000002344d-128.dat	upx
behavioral2/memory/2956-124-0x00007FF6B3A80000-0x00007FF6B3DD4000-memory.dmp	upx
behavioral2/memory/3952-131-0x00007FF74F3D0000-0x00007FF74F724000-memory.dmp	upx
behavioral2/memory/1032-132-0x00007FF67CE90000-0x00007FF67D1E4000-memory.dmp	upx
behavioral2/memory/3740-133-0x00007FF6BD5D0000-0x00007FF6BD924000-memory.dmp	upx
behavioral2/memory/5084-134-0x00007FF626830000-0x00007FF626B84000-memory.dmp	upx
behavioral2/memory/4620-135-0x00007FF670450000-0x00007FF6707A4000-memory.dmp	upx
behavioral2/memory/3892-136-0x00007FF73D750000-0x00007FF73DAA4000-memory.dmp	upx
behavioral2/memory/2956-137-0x00007FF6B3A80000-0x00007FF6B3DD4000-memory.dmp	upx
behavioral2/memory/1840-138-0x00007FF7F6E00000-0x00007FF7F7154000-memory.dmp	upx
behavioral2/memory/4524-139-0x00007FF7B5B90000-0x00007FF7B5EE4000-memory.dmp	upx
behavioral2/memory/4516-140-0x00007FF604D50000-0x00007FF6050A4000-memory.dmp	upx
behavioral2/memory/4796-141-0x00007FF695830000-0x00007FF695B84000-memory.dmp	upx
behavioral2/memory/856-142-0x00007FF62B6D0000-0x00007FF62BA24000-memory.dmp	upx
behavioral2/memory/780-143-0x00007FF7752E0000-0x00007FF775634000-memory.dmp	upx
behavioral2/memory/4172-144-0x00007FF61D550000-0x00007FF61D8A4000-memory.dmp	upx
behavioral2/memory/2032-145-0x00007FF694DA0000-0x00007FF6950F4000-memory.dmp	upx
behavioral2/memory/3096-146-0x00007FF7D4520000-0x00007FF7D4874000-memory.dmp	upx
behavioral2/memory/4736-147-0x00007FF62E0F0000-0x00007FF62E444000-memory.dmp	upx
behavioral2/memory/2180-148-0x00007FF738CB0000-0x00007FF739004000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\uPczDWI.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MoIorpN.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CrjTbOW.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kGiWWEJ.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JeByuYq.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aXNmeQy.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KBvCpQq.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\awvGaBZ.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zIQDfJF.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fjFqzLd.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CBfzTyZ.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NsKRsRb.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\advNTru.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fqmWfii.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cTWVYYa.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WwweLPa.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yCsLybH.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wDbMHAf.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SevFTTD.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SCHOBZG.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\deGmubT.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1840	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	83
PID 1540 wrote to memory of 1840	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	83
PID 1540 wrote to memory of 4524	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	84
PID 1540 wrote to memory of 4524	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	84
PID 1540 wrote to memory of 4516	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	85
PID 1540 wrote to memory of 4516	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	85
PID 1540 wrote to memory of 4796	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	86
PID 1540 wrote to memory of 4796	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	86
PID 1540 wrote to memory of 856	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	87
PID 1540 wrote to memory of 856	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	87
PID 1540 wrote to memory of 780	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	91
PID 1540 wrote to memory of 780	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	91
PID 1540 wrote to memory of 4172	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	92
PID 1540 wrote to memory of 4172	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	92
PID 1540 wrote to memory of 2032	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	93
PID 1540 wrote to memory of 2032	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	93
PID 1540 wrote to memory of 3096	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	94
PID 1540 wrote to memory of 3096	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	94
PID 1540 wrote to memory of 4736	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	95
PID 1540 wrote to memory of 4736	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	95
PID 1540 wrote to memory of 2180	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	96
PID 1540 wrote to memory of 2180	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	96
PID 1540 wrote to memory of 1032	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	97
PID 1540 wrote to memory of 1032	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	97
PID 1540 wrote to memory of 3740	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	98
PID 1540 wrote to memory of 3740	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	98
PID 1540 wrote to memory of 844	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	99
PID 1540 wrote to memory of 844	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	99
PID 1540 wrote to memory of 5084	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	100
PID 1540 wrote to memory of 5084	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	100
PID 1540 wrote to memory of 5008	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	101
PID 1540 wrote to memory of 5008	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	101
PID 1540 wrote to memory of 2944	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	102
PID 1540 wrote to memory of 2944	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	102
PID 1540 wrote to memory of 4620	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	103
PID 1540 wrote to memory of 4620	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	103
PID 1540 wrote to memory of 3892	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	104
PID 1540 wrote to memory of 3892	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	104
PID 1540 wrote to memory of 2956	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	105
PID 1540 wrote to memory of 2956	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	105
PID 1540 wrote to memory of 3952	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	107
PID 1540 wrote to memory of 3952	1540	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\System\kGiWWEJ.exe
  C:\Windows\System\kGiWWEJ.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System\SevFTTD.exe
  C:\Windows\System\SevFTTD.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\SCHOBZG.exe
  C:\Windows\System\SCHOBZG.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System\deGmubT.exe
  C:\Windows\System\deGmubT.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\fqmWfii.exe
  C:\Windows\System\fqmWfii.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\KBvCpQq.exe
  C:\Windows\System\KBvCpQq.exe
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\System\JeByuYq.exe
  C:\Windows\System\JeByuYq.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\awvGaBZ.exe
  C:\Windows\System\awvGaBZ.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\CBfzTyZ.exe
  C:\Windows\System\CBfzTyZ.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System\cTWVYYa.exe
  C:\Windows\System\cTWVYYa.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\NsKRsRb.exe
  C:\Windows\System\NsKRsRb.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\WwweLPa.exe
  C:\Windows\System\WwweLPa.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System\yCsLybH.exe
  C:\Windows\System\yCsLybH.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System\aXNmeQy.exe
  C:\Windows\System\aXNmeQy.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System\uPczDWI.exe
  C:\Windows\System\uPczDWI.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\MoIorpN.exe
  C:\Windows\System\MoIorpN.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\advNTru.exe
  C:\Windows\System\advNTru.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\CrjTbOW.exe
  C:\Windows\System\CrjTbOW.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\wDbMHAf.exe
  C:\Windows\System\wDbMHAf.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\zIQDfJF.exe
  C:\Windows\System\zIQDfJF.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\fjFqzLd.exe
  C:\Windows\System\fjFqzLd.exe
  2⤵
  - Executes dropped EXE
  PID:3952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CBfzTyZ.exe

Filesize
5.9MB

MD5
577b9e4e6af979266ed3c53e79f43b6b

SHA1
e6a01a7aa069fb952f12ef33346c5b3869549830

SHA256
27c7c28943170943e3664b139aa71a1c2aa7e39f8a7e40df59524ba7bd97c5a3

SHA512
7b0006f4018314c16e9a02e8294354f0a314dd27aa6b6a216e9992eff15a63b9e12ddc624902c8c5be4fb71a14a59ba1b6e7bf07267c5ac9bdf830cae101d618

Download Submit
C:\Windows\System\CrjTbOW.exe

Filesize
5.9MB

MD5
d5a88dfbfecde4024228091482321cac

SHA1
48744cf475d2177c60b7e30d16ca07a919ea6462

SHA256
2f71613085674d8ea3aa71ce5f7f352ea1942bb1c3f438d20ae9d3692af8e2c8

SHA512
871147760ebbaee120b7e7981989a5de36aabd404efadf8081c91ff3f371900487e469188c2825cbfc9575a340b46f12d7265674b721746f5de9062825cb15fd

Download Submit
C:\Windows\System\JeByuYq.exe

Filesize
5.9MB

MD5
b922013d9e9aea927349ecece927bd01

SHA1
6ce63225dfa43f5c21dc85e3b55deb114156f74a

SHA256
726a89387942059bc5f6a662cf2a9d5aa81019513fcbbd1cec0e82615450517e

SHA512
162ad0e98644ce16eba9d098a8e46f5e56d6ee1666525df8dbc197243d0f9c9369243595cb6f51eb69ab9440162a36747574513b3254b187b290eb167b6e468b

Download Submit
C:\Windows\System\KBvCpQq.exe

Filesize
5.9MB

MD5
c30a27aebbe6ee381dab60900159b7c7

SHA1
f4f12bb19e06cba6af16cbffce92446213d3170d

SHA256
726cfff72c1073df35f4370dd91a57a5a54104797ee7855b6db093da0f0bafa4

SHA512
3594585eac6e05320b0fa5459c9a0c75c3b10c5808d64e924d9b0ca5d5906b5a1db97e7dcb2e0fa3d77725c46fb53581a0ed413b536971bd67f2ee0774e71288

Download Submit
C:\Windows\System\MoIorpN.exe

Filesize
5.9MB

MD5
1c8d5676c4e805e03cf0c086437d9193

SHA1
f098ede8ad768e20f9bd50bcf50077f391cf391f

SHA256
bdd515d19eea26b558d9d68ad12d8213e8a97134365d9387304e6f78276c1edb

SHA512
7adafdbaf6914c8834976a2c72d6271f0129f6f85c67816b25bfedad7bfe5515bacb2b33e6436bd68e802db6a67014539b570d9f8713afd913de36b7b0f73c23

Download Submit
C:\Windows\System\NsKRsRb.exe

Filesize
5.9MB

MD5
8e9ad19bf1453e7fffd0cb45caccf060

SHA1
2e74d924fcf40bc8e2f9663389650dceac2c164b

SHA256
a581a1c997ab7e488e619de912e678219839d1ac9cc65f6609a3cdad315d2ddb

SHA512
b1b9bd8f8e3e2feef7cfb485d0e9b284929f2fadba4751a1f06c6421d397b9ef573d503524c4b32c301107b932d9af8415c771bb9b2413186f7a52987bcb0cfe

Download Submit
C:\Windows\System\SCHOBZG.exe

Filesize
5.9MB

MD5
a12fef85302fb0b84ba60233329c6336

SHA1
08f2fec37b0a7a77803f130f317dc79eeda62a0a

SHA256
ec80ffdf0d2268048e340a5535d4cf2ceb8d8645ffe3d47f361bf53573c77e00

SHA512
53f544a4ad56754ebc0fa52b5e16a1e667636a4aa2c29875117e3eb033d013a3a68ece1ceb36accd79e956754f578b25d0daeb83206adf71f4e62727e2433d68

Download Submit
C:\Windows\System\SevFTTD.exe

Filesize
5.9MB

MD5
db6290d99c71b7f96dea71eb348dfb40

SHA1
12592a152d9ac19b4b896240e4f948352cf10a66

SHA256
691e2e9dd9228c76116da9cb3c52d241118abf8190cba9177b029cf8590583e2

SHA512
01bafecb5eeaf882e311427f88b634fb33e92da7c8907ac6c5f6d2836344765141615b3f0d30c6d9bd99b2f030ae9a46dc940fbe0fcabd7358e79231cace8825

Download Submit
C:\Windows\System\WwweLPa.exe

Filesize
5.9MB

MD5
bb521c9cebac58866e53e56e54c79b57

SHA1
752ca5937412ec12d86508cf2403bf34741a6b81

SHA256
da0b79595b1b9b2cbb1c912b00cf28d3fd1a4b2276437a58d13893a986b3d214

SHA512
d107b2f9ec908ccf0187bec9bb5a617904e6a0f6fd19cd1b3222a0b58f5f7ce4e338da8ea9a35bf1be4f41cd0f4738d6d249ed89d897e36975b92d172335e3ae

Download Submit
C:\Windows\System\aXNmeQy.exe

Filesize
5.9MB

MD5
9fb9a43b0645f887eb615c72e860c47c

SHA1
eaf578709b6bc0a3193401819382ce04961b7a5c

SHA256
554c202b763916fc7edc4aa1dfc99b1dddc0a816b406c2c25c667f0e3ca7bd78

SHA512
7165420661b3ad63b21b9def965d01a70f43984df4bdd5163efdfca15efa4abf9522783b6bb97f5ddadb1a738f37a4206398605fa5e1efffc12e79bda28be4e3

Download Submit
C:\Windows\System\advNTru.exe

Filesize
5.9MB

MD5
dbf2b4cfcbfab971ea4a399fa55f1930

SHA1
4c65e5697636cb8370d3a72e6c25a5b1a1e8e183

SHA256
e582966ced9d607efe4d7079b3bd9e4e789f333e1424a29c14897cc9f489fda7

SHA512
42fa51136ff463ee736840a06fd4faa763bf445d5435cd2a2b31f6363706c91d8f3958722fcb1f00b9620482c04faa636d6c23b0abff9f0e44f5ebf590d82838

Download Submit
C:\Windows\System\awvGaBZ.exe

Filesize
5.9MB

MD5
3e3a1247bb28beeaa74a3818b62107e9

SHA1
dbdefab1305c97a803b12fac87dc6958e17bf910

SHA256
190e121809613e696cbff6ea3418d84293d13132bed471e36cd29cad88fdd389

SHA512
773818f7dba11aad68cbe9f15931226976441e98d86879ed21dccb248aa096acb3a7886578cefdbe5c04d16df62a85001f0cb8c45895733845e210a89c4a3eb7

Download Submit
C:\Windows\System\cTWVYYa.exe

Filesize
5.9MB

MD5
297304f0dcecf1ef0b7d16befcef1e0b

SHA1
78ca3fab901307aef289c27a0d188aea789e64e5

SHA256
e21279a99a6d9ea58d213ac9a94d509e2eaefa918e11f29a38706a12272a1963

SHA512
d68904633e7d4344dad9ae4b6473b5eccf964941c79ddb29456375a8874aec5a23daba34d844d778837e8614c5f083dea05ec1366bb3e55c1976bc3a5909b589

Download Submit
C:\Windows\System\deGmubT.exe

Filesize
5.9MB

MD5
29ea04e22dca6ef550e2a1f759f00695

SHA1
4f98e609869c3dcfed17cd796a12cd0ed9f69792

SHA256
942c7a167ecccac77c9dd1fc7bc0aa1c3a9a5d96848b0c839837410762949e1e

SHA512
275de0d676d4349254b085c313cb4c48f806a948fe0c15f6b24b60b4d687813da50e969114811d2a1a248177a46ea2a943b3102606b0e0d2d84bc2a9a7763c65

Download Submit
C:\Windows\System\fjFqzLd.exe

Filesize
5.9MB

MD5
2aa4050ef6a966efd8e7201f4338fc14

SHA1
fe8e1ed52e9c3e70985ca0ed3c5708d17faaecc9

SHA256
c0044d53806e97992e5a53c2e50ebd5074a4daa308e565e8670f3a94d577f7dd

SHA512
8e489579bb631ad6c25e9e44b1f09a611acc247c3ec9728f94cfa50d3d9a2d3533aa181328dff563b67d56961e93d6394c35d1da6eee8ee1c17a398946852275

Download Submit
C:\Windows\System\fqmWfii.exe

Filesize
5.9MB

MD5
bd6e0c013c0da2605fb91a583fcc95da

SHA1
5f178751ec3a596491f1a14e33cc4bece1101fe6

SHA256
cb29844ccb40aa791a667aa3a67c353df5433332b800b62955a36b68d55cd49e

SHA512
8cb311719f539cb7c3dab015db4e194c11de04665eb6723455c5249bd95a163eb11b21b5a1534a21dd93752cdadc7e737512bb367e6f32f992b73fcdd7e14bb9

Download Submit
C:\Windows\System\kGiWWEJ.exe

Filesize
5.9MB

MD5
b1de8b20dc68e23c890c924244faadc2

SHA1
1a4b71111de09273617061b36254a16854579e19

SHA256
4acf2e8cbf05685177910e40bf2209b5b427f5cda56abb9e4a761a7ff901296b

SHA512
254c96a55d4643ffb5aa4dc0582a08140370d983b01f5fdb09a55d9ad7ba3180c9817ab5dfb2c511815bfd811f93e4287a028993245d0f3390e1e51504f5d45c

Download Submit
C:\Windows\System\uPczDWI.exe

Filesize
5.9MB

MD5
4eb07fa2cf75da9a3f59f2db7fabaeb1

SHA1
c10e18d7d8a030286bb0cc403b9521e6fee177b0

SHA256
9799eb2416582c1b6cc47ba557562df7d3326348d4675ece8efc6152067711c9

SHA512
deedc160d5e11aa0ea7007699d8f16891d3da661d78ab6c969549547dcd72b7f53cf47cb8d91dc1f6b7604d6c6bf03c51d108ba58ffc806f60241545b4417df9

Download Submit
C:\Windows\System\wDbMHAf.exe

Filesize
5.9MB

MD5
0fc4a2e6f06baa4ef5b13b435da16904

SHA1
ee604da50058b2d684e50e4f52bcc444af2a4e13

SHA256
73b3a8acad9f33f25bf696bc6746132bd6c76eae0d53fa32e3ca7babb222407c

SHA512
071e0abfc26265949f91139b738b66897e03ef7435eda934d8634b1b8bdce8bf6e16c47a7a6f880d1913577d32ea96472a214fe9cb29e74c649924c796ca98ec

Download Submit
C:\Windows\System\yCsLybH.exe

Filesize
5.9MB

MD5
d46bb981fe45bd4b7cfb45babacf6a1b

SHA1
8f386792951dc8a86022e3eb5068c7164371d7a3

SHA256
a13670cde3bd7a3c325d3618dbfe5e8f7474618f8677a3b48a3db9a4e840c8a8

SHA512
422d5775fc08ba85ab7a3f99030cb19bdeabcd6f9682b900698d8ed151414e4f8bb5d575785eb473c394e33bc496fdf8919ec7facfd8704ad5387294a3a72c6c

Download Submit
C:\Windows\System\zIQDfJF.exe

Filesize
5.9MB

MD5
6806ee657edbc230e6a2576ab017eea4

SHA1
ad2e84b5b61fe4f0188433909d263d94d6f84a22

SHA256
57f1051265ce0d6dd80dcb76360a62d5723183aadb2aa1da00f7292dbacc696c

SHA512
4e425ca7bda9d51a8cc02cf48014e4b3db900194a157fe3c37850f5f68dad9a55562067ba06ad709b13a3827c6136b3cd055b9d0de01a2dd3c2c2d88c9181c78

Download Submit
memory/780-39-0x00007FF7752E0000-0x00007FF775634000-memory.dmp

Filesize
3.3MB

Download
memory/780-143-0x00007FF7752E0000-0x00007FF775634000-memory.dmp

Filesize
3.3MB

Download
memory/844-151-0x00007FF6D3BA0000-0x00007FF6D3EF4000-memory.dmp

Filesize
3.3MB

Download
memory/844-89-0x00007FF6D3BA0000-0x00007FF6D3EF4000-memory.dmp

Filesize
3.3MB

Download
memory/856-142-0x00007FF62B6D0000-0x00007FF62BA24000-memory.dmp

Filesize
3.3MB

Download
memory/856-93-0x00007FF62B6D0000-0x00007FF62BA24000-memory.dmp

Filesize
3.3MB

Download
memory/856-31-0x00007FF62B6D0000-0x00007FF62BA24000-memory.dmp

Filesize
3.3MB

Download
memory/1032-77-0x00007FF67CE90000-0x00007FF67D1E4000-memory.dmp

Filesize
3.3MB

Download
memory/1032-150-0x00007FF67CE90000-0x00007FF67D1E4000-memory.dmp

Filesize
3.3MB

Download
memory/1032-132-0x00007FF67CE90000-0x00007FF67D1E4000-memory.dmp

Filesize
3.3MB

Download
memory/1540-62-0x00007FF77E0C0000-0x00007FF77E414000-memory.dmp

Filesize
3.3MB

Download
memory/1540-0-0x00007FF77E0C0000-0x00007FF77E414000-memory.dmp

Filesize
3.3MB

Download
memory/1540-1-0x0000024CFD540000-0x0000024CFD550000-memory.dmp

Filesize
64KB

Download
memory/1840-138-0x00007FF7F6E00000-0x00007FF7F7154000-memory.dmp

Filesize
3.3MB

Download
memory/1840-9-0x00007FF7F6E00000-0x00007FF7F7154000-memory.dmp

Filesize
3.3MB

Download
memory/2032-50-0x00007FF694DA0000-0x00007FF6950F4000-memory.dmp

Filesize
3.3MB

Download
memory/2032-145-0x00007FF694DA0000-0x00007FF6950F4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-72-0x00007FF738CB0000-0x00007FF739004000-memory.dmp

Filesize
3.3MB

Download
memory/2180-148-0x00007FF738CB0000-0x00007FF739004000-memory.dmp

Filesize
3.3MB

Download
memory/2944-154-0x00007FF6C1F40000-0x00007FF6C2294000-memory.dmp

Filesize
3.3MB

Download
memory/2944-113-0x00007FF6C1F40000-0x00007FF6C2294000-memory.dmp

Filesize
3.3MB

Download
memory/2956-137-0x00007FF6B3A80000-0x00007FF6B3DD4000-memory.dmp

Filesize
3.3MB

Download
memory/2956-158-0x00007FF6B3A80000-0x00007FF6B3DD4000-memory.dmp

Filesize
3.3MB

Download
memory/2956-124-0x00007FF6B3A80000-0x00007FF6B3DD4000-memory.dmp

Filesize
3.3MB

Download
memory/3096-146-0x00007FF7D4520000-0x00007FF7D4874000-memory.dmp

Filesize
3.3MB

Download
memory/3096-55-0x00007FF7D4520000-0x00007FF7D4874000-memory.dmp

Filesize
3.3MB

Download
memory/3740-133-0x00007FF6BD5D0000-0x00007FF6BD924000-memory.dmp

Filesize
3.3MB

Download
memory/3740-79-0x00007FF6BD5D0000-0x00007FF6BD924000-memory.dmp

Filesize
3.3MB

Download
memory/3740-149-0x00007FF6BD5D0000-0x00007FF6BD924000-memory.dmp

Filesize
3.3MB

Download
memory/3892-156-0x00007FF73D750000-0x00007FF73DAA4000-memory.dmp

Filesize
3.3MB

Download
memory/3892-118-0x00007FF73D750000-0x00007FF73DAA4000-memory.dmp

Filesize
3.3MB

Download
memory/3892-136-0x00007FF73D750000-0x00007FF73DAA4000-memory.dmp

Filesize
3.3MB

Download
memory/3952-131-0x00007FF74F3D0000-0x00007FF74F724000-memory.dmp

Filesize
3.3MB

Download
memory/3952-157-0x00007FF74F3D0000-0x00007FF74F724000-memory.dmp

Filesize
3.3MB

Download
memory/4172-49-0x00007FF61D550000-0x00007FF61D8A4000-memory.dmp

Filesize
3.3MB

Download
memory/4172-144-0x00007FF61D550000-0x00007FF61D8A4000-memory.dmp

Filesize
3.3MB

Download
memory/4516-74-0x00007FF604D50000-0x00007FF6050A4000-memory.dmp

Filesize
3.3MB

Download
memory/4516-23-0x00007FF604D50000-0x00007FF6050A4000-memory.dmp

Filesize
3.3MB

Download
memory/4516-140-0x00007FF604D50000-0x00007FF6050A4000-memory.dmp

Filesize
3.3MB

Download
memory/4524-139-0x00007FF7B5B90000-0x00007FF7B5EE4000-memory.dmp

Filesize
3.3MB

Download
memory/4524-73-0x00007FF7B5B90000-0x00007FF7B5EE4000-memory.dmp

Filesize
3.3MB

Download
memory/4524-14-0x00007FF7B5B90000-0x00007FF7B5EE4000-memory.dmp

Filesize
3.3MB

Download
memory/4620-135-0x00007FF670450000-0x00007FF6707A4000-memory.dmp

Filesize
3.3MB

Download
memory/4620-155-0x00007FF670450000-0x00007FF6707A4000-memory.dmp

Filesize
3.3MB

Download
memory/4620-117-0x00007FF670450000-0x00007FF6707A4000-memory.dmp

Filesize
3.3MB

Download
memory/4736-147-0x00007FF62E0F0000-0x00007FF62E444000-memory.dmp

Filesize
3.3MB

Download
memory/4736-68-0x00007FF62E0F0000-0x00007FF62E444000-memory.dmp

Filesize
3.3MB

Download
memory/4796-26-0x00007FF695830000-0x00007FF695B84000-memory.dmp

Filesize
3.3MB

Download
memory/4796-141-0x00007FF695830000-0x00007FF695B84000-memory.dmp

Filesize
3.3MB

Download
memory/5008-152-0x00007FF600B90000-0x00007FF600EE4000-memory.dmp

Filesize
3.3MB

Download
memory/5008-102-0x00007FF600B90000-0x00007FF600EE4000-memory.dmp

Filesize
3.3MB

Download
memory/5084-153-0x00007FF626830000-0x00007FF626B84000-memory.dmp

Filesize
3.3MB

Download
memory/5084-134-0x00007FF626830000-0x00007FF626B84000-memory.dmp

Filesize
3.3MB

Download
memory/5084-96-0x00007FF626830000-0x00007FF626B84000-memory.dmp

Filesize
3.3MB

Download