cobaltstrike | 1e111884074ee04ab150c7fe9f4557d320e9613b51e8b95b15967d44ff0e3746

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

03f9d0594d1537d7e04872904955e315
SHA1

f7eba7ec928117ef12e5f8aab1e01ae21fe65ffe
SHA256

1e111884074ee04ab150c7fe9f4557d320e9613b51e8b95b15967d44ff0e3746
SHA512

94638acacb105cea2afc7b071acf19a56088f4bf7139d74f23f8f5def8f8c072f0c986265b6eb42eba5404b970aa4affc485e8db2401e3b8710b1e8c8928b18e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lF:RWWBibf56utgpPFotBER/mQ32lUx

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 43 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c00000001224c-3.dat	cobalt_reflective_dll
behavioral1/files/0x000c00000001224c-5.dat	cobalt_reflective_dll
behavioral1/files/0x000b0000000144e8-10.dat	cobalt_reflective_dll
behavioral1/files/0x000b0000000144e8-13.dat	cobalt_reflective_dll
behavioral1/files/0x0035000000014712-15.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014b4c-23.dat	cobalt_reflective_dll
behavioral1/files/0x0035000000014712-18.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014b18-26.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014b18-20.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014b4c-30.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014bbc-34.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014bbc-37.dat	cobalt_reflective_dll
behavioral1/files/0x0035000000014712-12.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014e71-45.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014e71-43.dat	cobalt_reflective_dll
behavioral1/files/0x003500000001471a-53.dat	cobalt_reflective_dll
behavioral1/files/0x003500000001471a-50.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001535e-56.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001535e-59.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d87-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d56-97.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d6b-101.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d7f-100.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d87-104.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ecc-116.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015e32-131.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015f65-135.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015f65-120.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015e32-113.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ecc-122.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d93-110.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d93-107.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d5f-94.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d42-93.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d7f-86.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d4e-83.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d6b-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d5f-79.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d4e-72.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d56-75.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d42-68.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015cff-66.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015cff-64.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 43 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001224c-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000c00000001224c-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000b0000000144e8-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000b0000000144e8-13.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0035000000014712-15.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014b4c-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0035000000014712-18.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014b18-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014b18-20.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014b4c-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014bbc-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014bbc-37.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0035000000014712-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014e71-45.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014e71-43.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x003500000001471a-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x003500000001471a-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000900000001535e-56.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000900000001535e-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d87-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d56-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d6b-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d7f-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d87-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ecc-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015e32-131.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015f65-135.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015f65-120.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015e32-113.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ecc-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d93-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d93-107.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d5f-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d42-93.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d7f-86.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d4e-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d6b-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d5f-79.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d4e-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d56-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d42-68.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015cff-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015cff-64.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral1/memory/2848-0-0x000000013F540000-0x000000013F891000-memory.dmp	UPX
behavioral1/files/0x000c00000001224c-3.dat	UPX
behavioral1/files/0x000c00000001224c-5.dat	UPX
behavioral1/memory/2512-9-0x000000013FBC0000-0x000000013FF11000-memory.dmp	UPX
behavioral1/files/0x000b0000000144e8-10.dat	UPX
behavioral1/files/0x000b0000000144e8-13.dat	UPX
behavioral1/files/0x0035000000014712-15.dat	UPX
behavioral1/files/0x0007000000014b4c-23.dat	UPX
behavioral1/files/0x0035000000014712-18.dat	UPX
behavioral1/files/0x0007000000014b18-26.dat	UPX
behavioral1/files/0x0007000000014b18-20.dat	UPX
behavioral1/files/0x0007000000014b4c-30.dat	UPX
behavioral1/memory/2628-32-0x000000013F830000-0x000000013FB81000-memory.dmp	UPX
behavioral1/files/0x0007000000014bbc-34.dat	UPX
behavioral1/memory/2752-38-0x000000013F770000-0x000000013FAC1000-memory.dmp	UPX
behavioral1/files/0x0007000000014bbc-37.dat	UPX
behavioral1/memory/2656-41-0x000000013F280000-0x000000013F5D1000-memory.dmp	UPX
behavioral1/memory/2548-40-0x000000013F7D0000-0x000000013FB21000-memory.dmp	UPX
behavioral1/memory/2580-42-0x000000013FE90000-0x00000001401E1000-memory.dmp	UPX
behavioral1/files/0x0035000000014712-12.dat	UPX
behavioral1/files/0x0007000000014e71-45.dat	UPX
behavioral1/files/0x0007000000014e71-43.dat	UPX
behavioral1/memory/2556-49-0x000000013F130000-0x000000013F481000-memory.dmp	UPX
behavioral1/files/0x003500000001471a-53.dat	UPX
behavioral1/files/0x003500000001471a-50.dat	UPX
behavioral1/files/0x000900000001535e-56.dat	UPX
behavioral1/memory/1988-60-0x000000013F130000-0x000000013F481000-memory.dmp	UPX
behavioral1/memory/2824-63-0x000000013FDE0000-0x0000000140131000-memory.dmp	UPX
behavioral1/files/0x000900000001535e-59.dat	UPX
behavioral1/files/0x0006000000015d87-90.dat	UPX
behavioral1/files/0x0006000000015d56-97.dat	UPX
behavioral1/files/0x0006000000015d6b-101.dat	UPX
behavioral1/files/0x0006000000015d7f-100.dat	UPX
behavioral1/files/0x0006000000015d87-104.dat	UPX
behavioral1/memory/1040-99-0x000000013F6C0000-0x000000013FA11000-memory.dmp	UPX
behavioral1/files/0x0006000000015ecc-116.dat	UPX
behavioral1/memory/1620-117-0x000000013F9C0000-0x000000013FD11000-memory.dmp	UPX
behavioral1/memory/1800-125-0x000000013F150000-0x000000013F4A1000-memory.dmp	UPX
behavioral1/memory/1180-127-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	UPX
behavioral1/memory/2392-128-0x000000013FA60000-0x000000013FDB1000-memory.dmp	UPX
behavioral1/memory/2180-130-0x000000013FC70000-0x000000013FFC1000-memory.dmp	UPX
behavioral1/files/0x0006000000015e32-131.dat	UPX
behavioral1/files/0x0006000000015f65-135.dat	UPX
behavioral1/memory/1572-138-0x000000013F780000-0x000000013FAD1000-memory.dmp	UPX
behavioral1/memory/1052-142-0x000000013F730000-0x000000013FA81000-memory.dmp	UPX
behavioral1/memory/1728-143-0x000000013FCC0000-0x0000000140011000-memory.dmp	UPX
behavioral1/memory/1600-134-0x000000013F8B0000-0x000000013FC01000-memory.dmp	UPX
behavioral1/files/0x0006000000015f65-120.dat	UPX
behavioral1/files/0x0006000000015e32-113.dat	UPX
behavioral1/memory/2148-129-0x000000013F750000-0x000000013FAA1000-memory.dmp	UPX
behavioral1/memory/1436-126-0x000000013F290000-0x000000013F5E1000-memory.dmp	UPX
behavioral1/files/0x0006000000015ecc-122.dat	UPX
behavioral1/files/0x0006000000015d93-110.dat	UPX
behavioral1/files/0x0006000000015d93-107.dat	UPX
behavioral1/files/0x0006000000015d5f-94.dat	UPX
behavioral1/files/0x0006000000015d42-93.dat	UPX
behavioral1/files/0x0006000000015d7f-86.dat	UPX
behavioral1/files/0x0006000000015d4e-83.dat	UPX
behavioral1/files/0x0006000000015d6b-82.dat	UPX
behavioral1/files/0x0006000000015d5f-79.dat	UPX
behavioral1/files/0x0006000000015d4e-72.dat	UPX
behavioral1/files/0x0006000000015d56-75.dat	UPX
behavioral1/files/0x0006000000015d42-68.dat	UPX
behavioral1/files/0x0008000000015cff-66.dat	UPX

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral1/memory/2512-9-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig
behavioral1/memory/2628-32-0x000000013F830000-0x000000013FB81000-memory.dmp	xmrig
behavioral1/memory/2752-38-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/2656-41-0x000000013F280000-0x000000013F5D1000-memory.dmp	xmrig
behavioral1/memory/2548-40-0x000000013F7D0000-0x000000013FB21000-memory.dmp	xmrig
behavioral1/memory/2580-42-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/2556-49-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/1988-60-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/2824-63-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/1040-99-0x000000013F6C0000-0x000000013FA11000-memory.dmp	xmrig
behavioral1/memory/1620-117-0x000000013F9C0000-0x000000013FD11000-memory.dmp	xmrig
behavioral1/memory/1800-125-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/1180-127-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	xmrig
behavioral1/memory/2392-128-0x000000013FA60000-0x000000013FDB1000-memory.dmp	xmrig
behavioral1/memory/2180-130-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/1572-138-0x000000013F780000-0x000000013FAD1000-memory.dmp	xmrig
behavioral1/memory/1052-142-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/1728-143-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/1600-134-0x000000013F8B0000-0x000000013FC01000-memory.dmp	xmrig
behavioral1/memory/2848-132-0x000000013F8B0000-0x000000013FC01000-memory.dmp	xmrig
behavioral1/memory/2148-129-0x000000013F750000-0x000000013FAA1000-memory.dmp	xmrig
behavioral1/memory/1436-126-0x000000013F290000-0x000000013F5E1000-memory.dmp	xmrig
behavioral1/memory/2848-144-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2848-145-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2512-146-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig
behavioral1/memory/2556-152-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/1040-155-0x000000013F6C0000-0x000000013FA11000-memory.dmp	xmrig
behavioral1/memory/2848-167-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2512-216-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig
behavioral1/memory/2548-218-0x000000013F7D0000-0x000000013FB21000-memory.dmp	xmrig
behavioral1/memory/2628-223-0x000000013F830000-0x000000013FB81000-memory.dmp	xmrig
behavioral1/memory/2752-222-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/2656-224-0x000000013F280000-0x000000013F5D1000-memory.dmp	xmrig
behavioral1/memory/2580-226-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/2556-228-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/1988-231-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/2824-242-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/1040-246-0x000000013F6C0000-0x000000013FA11000-memory.dmp	xmrig
behavioral1/memory/1620-245-0x000000013F9C0000-0x000000013FD11000-memory.dmp	xmrig
behavioral1/memory/1800-249-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/1436-251-0x000000013F290000-0x000000013F5E1000-memory.dmp	xmrig
behavioral1/memory/2392-256-0x000000013FA60000-0x000000013FDB1000-memory.dmp	xmrig
behavioral1/memory/1572-255-0x000000013F780000-0x000000013FAD1000-memory.dmp	xmrig
behavioral1/memory/2148-258-0x000000013F750000-0x000000013FAA1000-memory.dmp	xmrig
behavioral1/memory/1180-254-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	xmrig
behavioral1/memory/2180-260-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/1600-262-0x000000013F8B0000-0x000000013FC01000-memory.dmp	xmrig
behavioral1/memory/1052-264-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/1728-266-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2512	JUODzff.exe
2548	kJDzlbP.exe
2628	IXePJkz.exe
2752	nzRCnaw.exe
2656	oxePdcV.exe
2580	jSXbWxm.exe
2556	kntkbPL.exe
1988	GEVxgte.exe
2824	iEbqwiW.exe
1040	qdxDzXV.exe
1620	vlPIUQe.exe
1800	CTnzdFP.exe
1436	CWfuoyE.exe
1180	cPiszkf.exe
1572	ujfqgSf.exe
2392	TeIHrrJ.exe
2148	uoRCTaa.exe
2180	RaclgUH.exe
1600	PLynuUc.exe
1052	fEsyCqQ.exe
1728	yLDNgGr.exe

Loads dropped DLL 21 IoCs

pid	Process
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2848-0-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/files/0x000c00000001224c-3.dat	upx
behavioral1/files/0x000c00000001224c-5.dat	upx
behavioral1/memory/2512-9-0x000000013FBC0000-0x000000013FF11000-memory.dmp	upx
behavioral1/files/0x000b0000000144e8-10.dat	upx
behavioral1/files/0x000b0000000144e8-13.dat	upx
behavioral1/files/0x0035000000014712-15.dat	upx
behavioral1/files/0x0007000000014b4c-23.dat	upx
behavioral1/files/0x0035000000014712-18.dat	upx
behavioral1/files/0x0007000000014b18-26.dat	upx
behavioral1/files/0x0007000000014b18-20.dat	upx
behavioral1/files/0x0007000000014b4c-30.dat	upx
behavioral1/memory/2628-32-0x000000013F830000-0x000000013FB81000-memory.dmp	upx
behavioral1/files/0x0007000000014bbc-34.dat	upx
behavioral1/memory/2752-38-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/files/0x0007000000014bbc-37.dat	upx
behavioral1/memory/2656-41-0x000000013F280000-0x000000013F5D1000-memory.dmp	upx
behavioral1/memory/2548-40-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx
behavioral1/memory/2580-42-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/files/0x0035000000014712-12.dat	upx
behavioral1/files/0x0007000000014e71-45.dat	upx
behavioral1/files/0x0007000000014e71-43.dat	upx
behavioral1/memory/2556-49-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/files/0x003500000001471a-53.dat	upx
behavioral1/files/0x003500000001471a-50.dat	upx
behavioral1/files/0x000900000001535e-56.dat	upx
behavioral1/memory/1988-60-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/2824-63-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/files/0x000900000001535e-59.dat	upx
behavioral1/files/0x0006000000015d87-90.dat	upx
behavioral1/files/0x0006000000015d56-97.dat	upx
behavioral1/files/0x0006000000015d6b-101.dat	upx
behavioral1/files/0x0006000000015d7f-100.dat	upx
behavioral1/files/0x0006000000015d87-104.dat	upx
behavioral1/memory/1040-99-0x000000013F6C0000-0x000000013FA11000-memory.dmp	upx
behavioral1/files/0x0006000000015ecc-116.dat	upx
behavioral1/memory/1620-117-0x000000013F9C0000-0x000000013FD11000-memory.dmp	upx
behavioral1/memory/1800-125-0x000000013F150000-0x000000013F4A1000-memory.dmp	upx
behavioral1/memory/1180-127-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	upx
behavioral1/memory/2392-128-0x000000013FA60000-0x000000013FDB1000-memory.dmp	upx
behavioral1/memory/2180-130-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx
behavioral1/files/0x0006000000015e32-131.dat	upx
behavioral1/files/0x0006000000015f65-135.dat	upx
behavioral1/memory/1572-138-0x000000013F780000-0x000000013FAD1000-memory.dmp	upx
behavioral1/memory/1052-142-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/1728-143-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/1600-134-0x000000013F8B0000-0x000000013FC01000-memory.dmp	upx
behavioral1/files/0x0006000000015f65-120.dat	upx
behavioral1/files/0x0006000000015e32-113.dat	upx
behavioral1/memory/2148-129-0x000000013F750000-0x000000013FAA1000-memory.dmp	upx
behavioral1/memory/1436-126-0x000000013F290000-0x000000013F5E1000-memory.dmp	upx
behavioral1/files/0x0006000000015ecc-122.dat	upx
behavioral1/files/0x0006000000015d93-110.dat	upx
behavioral1/files/0x0006000000015d93-107.dat	upx
behavioral1/files/0x0006000000015d5f-94.dat	upx
behavioral1/files/0x0006000000015d42-93.dat	upx
behavioral1/files/0x0006000000015d7f-86.dat	upx
behavioral1/files/0x0006000000015d4e-83.dat	upx
behavioral1/files/0x0006000000015d6b-82.dat	upx
behavioral1/files/0x0006000000015d5f-79.dat	upx
behavioral1/files/0x0006000000015d4e-72.dat	upx
behavioral1/files/0x0006000000015d56-75.dat	upx
behavioral1/files/0x0006000000015d42-68.dat	upx
behavioral1/files/0x0008000000015cff-66.dat	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\kntkbPL.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CTnzdFP.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uoRCTaa.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iEbqwiW.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cPiszkf.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TeIHrrJ.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IXePJkz.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jSXbWxm.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GEVxgte.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CWfuoyE.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RaclgUH.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fEsyCqQ.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PLynuUc.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kJDzlbP.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nzRCnaw.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qdxDzXV.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ujfqgSf.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yLDNgGr.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JUODzff.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oxePdcV.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vlPIUQe.exe	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2512	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	29
PID 2848 wrote to memory of 2512	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	29
PID 2848 wrote to memory of 2512	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	29
PID 2848 wrote to memory of 2548	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	30
PID 2848 wrote to memory of 2548	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	30
PID 2848 wrote to memory of 2548	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	30
PID 2848 wrote to memory of 2628	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	31
PID 2848 wrote to memory of 2628	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	31
PID 2848 wrote to memory of 2628	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	31
PID 2848 wrote to memory of 2752	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	32
PID 2848 wrote to memory of 2752	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	32
PID 2848 wrote to memory of 2752	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	32
PID 2848 wrote to memory of 2656	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	33
PID 2848 wrote to memory of 2656	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	33
PID 2848 wrote to memory of 2656	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	33
PID 2848 wrote to memory of 2580	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	34
PID 2848 wrote to memory of 2580	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	34
PID 2848 wrote to memory of 2580	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	34
PID 2848 wrote to memory of 2556	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	35
PID 2848 wrote to memory of 2556	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	35
PID 2848 wrote to memory of 2556	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	35
PID 2848 wrote to memory of 1988	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	36
PID 2848 wrote to memory of 1988	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	36
PID 2848 wrote to memory of 1988	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	36
PID 2848 wrote to memory of 2824	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	37
PID 2848 wrote to memory of 2824	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	37
PID 2848 wrote to memory of 2824	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	37
PID 2848 wrote to memory of 1040	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	38
PID 2848 wrote to memory of 1040	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	38
PID 2848 wrote to memory of 1040	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	38
PID 2848 wrote to memory of 1800	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	39
PID 2848 wrote to memory of 1800	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	39
PID 2848 wrote to memory of 1800	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	39
PID 2848 wrote to memory of 1620	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	40
PID 2848 wrote to memory of 1620	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	40
PID 2848 wrote to memory of 1620	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	40
PID 2848 wrote to memory of 1180	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	41
PID 2848 wrote to memory of 1180	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	41
PID 2848 wrote to memory of 1180	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	41
PID 2848 wrote to memory of 1436	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	42
PID 2848 wrote to memory of 1436	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	42
PID 2848 wrote to memory of 1436	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	42
PID 2848 wrote to memory of 2392	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	43
PID 2848 wrote to memory of 2392	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	43
PID 2848 wrote to memory of 2392	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	43
PID 2848 wrote to memory of 1572	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	44
PID 2848 wrote to memory of 1572	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	44
PID 2848 wrote to memory of 1572	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	44
PID 2848 wrote to memory of 2148	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	45
PID 2848 wrote to memory of 2148	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	45
PID 2848 wrote to memory of 2148	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	45
PID 2848 wrote to memory of 2180	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	46
PID 2848 wrote to memory of 2180	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	46
PID 2848 wrote to memory of 2180	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	46
PID 2848 wrote to memory of 1052	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	47
PID 2848 wrote to memory of 1052	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	47
PID 2848 wrote to memory of 1052	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	47
PID 2848 wrote to memory of 1600	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	48
PID 2848 wrote to memory of 1600	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	48
PID 2848 wrote to memory of 1600	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	48
PID 2848 wrote to memory of 1728	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	49
PID 2848 wrote to memory of 1728	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	49
PID 2848 wrote to memory of 1728	2848	2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-10_03f9d0594d1537d7e04872904955e315_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\System\JUODzff.exe
  C:\Windows\System\JUODzff.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\kJDzlbP.exe
  C:\Windows\System\kJDzlbP.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\IXePJkz.exe
  C:\Windows\System\IXePJkz.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\nzRCnaw.exe
  C:\Windows\System\nzRCnaw.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\oxePdcV.exe
  C:\Windows\System\oxePdcV.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\jSXbWxm.exe
  C:\Windows\System\jSXbWxm.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\kntkbPL.exe
  C:\Windows\System\kntkbPL.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\GEVxgte.exe
  C:\Windows\System\GEVxgte.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\iEbqwiW.exe
  C:\Windows\System\iEbqwiW.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\qdxDzXV.exe
  C:\Windows\System\qdxDzXV.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System\CTnzdFP.exe
  C:\Windows\System\CTnzdFP.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\vlPIUQe.exe
  C:\Windows\System\vlPIUQe.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System\cPiszkf.exe
  C:\Windows\System\cPiszkf.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\CWfuoyE.exe
  C:\Windows\System\CWfuoyE.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\TeIHrrJ.exe
  C:\Windows\System\TeIHrrJ.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\ujfqgSf.exe
  C:\Windows\System\ujfqgSf.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\uoRCTaa.exe
  C:\Windows\System\uoRCTaa.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System\RaclgUH.exe
  C:\Windows\System\RaclgUH.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\fEsyCqQ.exe
  C:\Windows\System\fEsyCqQ.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\PLynuUc.exe
  C:\Windows\System\PLynuUc.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\yLDNgGr.exe
  C:\Windows\System\yLDNgGr.exe
  2⤵
  - Executes dropped EXE
  PID:1728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CTnzdFP.exe

Filesize
1.6MB

MD5
4892d49c14a7e283153698e747ec87c9

SHA1
7822c69037298ccf4e2cd90381d1446721619c85

SHA256
1bbf7ec7dfa34b0d40895a909b82a3a5ff0e7309cdbaab86e0d5c97264357e18

SHA512
822125c120a17f4b7f203a570ed240a57e897b4dcce83658630a5c0833b272b84d104098adb903387f380218356f2efbba086a67aa762dbec174f6c315eb4502

Download Submit
C:\Windows\system\CWfuoyE.exe

Filesize
1.7MB

MD5
4c7fb526af68a58018fce9684e76f5d6

SHA1
0c2506c4c9a685bca3c1aa79d04eb908bcd042b7

SHA256
448cc2f675a839c46e3992f91d1f4a021763a14894e40a6f4f003425e3793da6

SHA512
5124fdc0126ae537e7e8c9e15ddcf8b9d010f8a23e96a4bb4ad763cc74964edc608202302b9c27afb487b6e5c2c96db0a30fec6aba1c15b280cd9f13d88d07a5

Download Submit
C:\Windows\system\GEVxgte.exe

Filesize
489KB

MD5
0b78ad73ba63d874b4ec7d9bb82ee4cc

SHA1
f6aa23e51b2de2ac146354ee4f51a00e380eaa6c

SHA256
d9adc8c2fa5e458c91d5bc64c6cf80fa6a6db2ec605c5d6f1b991060b9c1ed4f

SHA512
390842e7207997df72040a67716f40fb9f0d6b02493d246d4ba56738849332d67bb4ee89eb8bee46465200f1298d401c74c5b202a2fb69a92ff817a47d181f1a

Download Submit
C:\Windows\system\IXePJkz.exe

Filesize
2.2MB

MD5
3fd849266150bc37937b6340b3459743

SHA1
1cba770c13e1328c44fa9e09ab918316af718321

SHA256
c7377664f1096e73b0a99f6aefbd880885d22949e6d4d21df1a5013d4595223d

SHA512
d05b0d37a60a4d5f8f99d0c5c372be37cd535b615c85f4b3c37d5df4c64ea550c42362bbbd8f5258a79604652fb6461f7e0650f94dde7efa087203c784caa53f

Download Submit
C:\Windows\system\IXePJkz.exe

Filesize
1.6MB

MD5
522656ab9c0437e888cada1d5ce1a9b6

SHA1
59e9f8a69475f8d0eed7a167bde3d51315c02be1

SHA256
4b995c334d694de9752b19ed781852ddbcfd5c8bce06c4f0944ac13f1cd34b56

SHA512
3883d8f18f2a447dfba681bbcbe5da5afd3b5c1102968aeb510b85c8e4306e707701b447609a78c55465437b09d66a601e4f5bc6444747bcf9d5cfeebb2b4a64

Download Submit
C:\Windows\system\JUODzff.exe

Filesize
3.5MB

MD5
3b4c7551dbcfd2e22331edd085493971

SHA1
1d94d7e22bc7d5603488b46702f0cf48fd3b6a48

SHA256
89cc6d665509b7360759237c33e9839a42a99a184bf759b8b0d33ea6b36996e5

SHA512
b719327261e9a2923d1ba63a5e0cdd22a9d23aea070a767ece008bb2c6b4ce89599c1715b6545f891801514b2276526996478044bf0b7ccd3c8e7a8240f0b7fb

Download Submit
C:\Windows\system\PLynuUc.exe

Filesize
1.1MB

MD5
93cdffd7b6c991bef5e3ca51c4bf2111

SHA1
2a21db7e0c7972dbf40183626e099e014c65bd09

SHA256
8d5d7ad349002e022ed473d0ad21ea924d0bb79b06f0a6ac319971f45cbf1177

SHA512
bb0463555fe8111a5bb10d5fa7f35d2b5adf62fc4fae1509b6099c3ef35597ebe32a76ce121ef09882651536301f096c3db3bd3141a82ad42d8ab00bd3ba4ac0

Download Submit
C:\Windows\system\RaclgUH.exe

Filesize
1.4MB

MD5
ce409024e3fd34a978a091ce41eb2805

SHA1
11829f1dc13fdfeb04025c3e23459698cedc2d64

SHA256
581d673100bdc1787cad99e901350a4e1b943ed7f8992937159697756ec2c3ea

SHA512
211a79598ee84f5ff1d4638693280ee1d622eda6a7d5b791531f6b2f803145ef8d4fb6704aa9f19369eb2866e6a156649792798cf6898b8d0b1364d7c5f6afa8

Download Submit
C:\Windows\system\TeIHrrJ.exe

Filesize
238KB

MD5
ef5e8c4fe693f82bf8ba4df832776690

SHA1
1828ca2ae48d023d51d65705936ad3efb4240218

SHA256
9085f8ea834ce0815470f348a05bbf5b376ec4f52bcf04b82aea4eaca86123f1

SHA512
b494c430e9276deef3fce1a241b7b2cd6d2011e6ef37f3c3d03c2d307446aea8cc0875f80d7d8aae2552448a6bbc4cbf7e016fb97ee1ac37b033f702a6151aea

Download Submit
C:\Windows\system\cPiszkf.exe

Filesize
300KB

MD5
5cd25019512a95085eb911250a9e89b4

SHA1
c27ee8f169916afa1b13966a527a328b175efbe7

SHA256
34d2126b755fc938333f21f905e2540a9f12c50b67eebfbc1d2cc00f1b879b8c

SHA512
41eb00dd540f0f87e5c9ce7ec1feb88d4b175c26060c598cceb554954a01a88905555811f13b0d0bdf6a68298f788455cf1864f9bacdc1dfa6cd85ddabcaa122

Download Submit
C:\Windows\system\fEsyCqQ.exe

Filesize
1.1MB

MD5
38bb2a08ceb8b19929b820ca3bae71f3

SHA1
95c490b728dffcf7bcde3076f54a037724f2be39

SHA256
56e8a750d92cabb367021612cf4d5a363df6251562c0d13ed3f4fbbaf6ac6cee

SHA512
6e872c7beb8ea5f912d2133ad2d3533fa8cc79bf620cc7f143afe831785dd5c82e6fdf4ec4edf0b6370dd0aa06b6d7e41624caee03b2c465100b98642f7da967

Download Submit
C:\Windows\system\iEbqwiW.exe

Filesize
1.5MB

MD5
2766bd459baffc1849abaca98d06968a

SHA1
fb48a312b631493be7d565de79f296726bcd404c

SHA256
af4c058cf63722751b60a96b9172248a2566a20cd2a043325e6168fbd45837d8

SHA512
b72a8db030e5b4f990536e0b2613c09d350ecd59de83fb008d4397c9f74ed7ec6f94bb5b4dbd91ea9f9362fc9d8d34d21caa45d92349d736b65032afe1f1f8b7

Download Submit
C:\Windows\system\jSXbWxm.exe

Filesize
1.5MB

MD5
34cee79b4ac483f6a4c5c5c315e066a8

SHA1
1c5fc8ef75fb5b790bd89beba717f90fb5e32654

SHA256
28e0a42119e2f37382836935bf832bc52f81764a74360e85ca904b5bde1eecfb

SHA512
d1db44ea00d1cc7189fe969f18b3f26b388b9913f516263ffd01f2b9664296b81b69f97775784575ea0cbb0125d29908ef6a86113fbd413ee09a9eacff0f0388

Download Submit
C:\Windows\system\kJDzlbP.exe

Filesize
1.7MB

MD5
2bd727cd06f5e3d710a4fe2a92360836

SHA1
9c67ec63191bcc8a334e8eb631a616627196d2e5

SHA256
46d6cda639b5d412036894faa55bf17f50bb19741b4e34547473e7738cb66e97

SHA512
55330c8d8895aacd4484f61335b82518f94a5810db941086fc49f44721daadf811eb88e552bc62b31fbe51edb660c7d038e536be5f7ba2cb8d01d74ceaf303bc

Download Submit
C:\Windows\system\kntkbPL.exe

Filesize
1.3MB

MD5
dbae100f60266e16a523045a9842341e

SHA1
53f76556e55f11f9767fae0d6a4a2da661595fdc

SHA256
49d7e7bef95087a9390d93a279b66b91e57f1a96d73c1feba7510b0e59527440

SHA512
c14b82916da617e464d13a707b8891922fc2fc893b3522d9e1975240a40fc5365db2b2a44a4d18825e86e0131cac8bde3d7152538e756095a1f198ff6f868857

Download Submit
C:\Windows\system\nzRCnaw.exe

Filesize
2.8MB

MD5
130621c5cb233c2c5e34a452b595ac77

SHA1
19ce8b25f1eac341757a6b70c4fc354948156309

SHA256
1dbb599485bccdff6e8b7b55b503da9749145343288cf7c7286b1d3d4096e5f8

SHA512
06a39eaed256b9507e529307d1bf74f18da2cb2c422cd5767052c5f52205c17ccd87c28054a5f41af0aaac1def5649b2ee32298406129f519a9d26d4a28623f7

Download Submit
C:\Windows\system\oxePdcV.exe

Filesize
2.0MB

MD5
9b87a731441b339ce079f9df116bdaff

SHA1
578cddcb8bb4765ca4b0be03d91b481ac22c1bfd

SHA256
aea39dc21a21d74eb5077e0052e8f4cb13aa901fda27f925337d5f9ddd023b22

SHA512
09773c6b5d70b42d8aac6559c2044cf68e6b962fc105a8d35f99f9b21f3238a39cf611c0a6b4d34fbb60a91fcef06787213b26884ba8aa6f36474689ce0ba5ac

Download Submit
C:\Windows\system\qdxDzXV.exe

Filesize
2.0MB

MD5
d7aa9ec9b58fd01e948b95a26331925f

SHA1
f18fa20f9f2120206ab09a8d9a38fde0b0d29f71

SHA256
aa7940060b77e238aa6a501d4c1a41121d8e48b46cde7b81f2e992f9b2a1805e

SHA512
fbae55b796d9da5e1a20d9d85a1c94b0f925c8a6a9c8af7157b6411263e8796b57b816b6d4c5b9d9f1f116f84ba39045f7954cc3336b1d55a1fe936997814b93

Download Submit
C:\Windows\system\ujfqgSf.exe

Filesize
489KB

MD5
36576a14dccbf4e22a21aa6d7f38c02d

SHA1
b55349df5167c32cf92c47cc977854eb611a168d

SHA256
bd79f91b2f5098cf37d036d00a3b6813c1d12e134bdb4a062f2c0b8b4f7fef88

SHA512
c5ae65896781ba0195a8a55be332a3d77d5f32925256a235de39ad99da46250280afd0b90a8e375a2413679843873bf229a85a9bffed365a4cc0ce76a34f1ee3

Download Submit
C:\Windows\system\uoRCTaa.exe

Filesize
225KB

MD5
b2c3ede36ede63d11217f5958fe22e92

SHA1
c3069d24265fab351a21741e7acc5048ecb8c463

SHA256
a5de0f8dfd0bee939dcc04d97e4eaee2f30172bf9336c5adb3df39fbbc940b40

SHA512
80a77166798fdaf040775de2e27269388f5004f5185db0d11b0a237357f6eec04e8e8f1d304d35acca350d7475e278e1ed9b92f532186f46e3deb0b58f850485

Download Submit
C:\Windows\system\vlPIUQe.exe

Filesize
2.3MB

MD5
a2d6c79544e4bcbdd580e0f5f4aaf307

SHA1
0219ac1386fb83d6781be3228463af9ab5af904a

SHA256
29ccac212fe38580ad45dc8d6447bad825aa65142fd1695b79ccdf0cf5bb112f

SHA512
1d65af6353f0a689a4f1cd47fa06e97605d8efd8fa20cd4deb05ca7bcd035a344038b48df9fe05eb0e0b28fca05a9486a69e003c14979722d4b4d1268ed8aa0f

Download Submit
C:\Windows\system\yLDNgGr.exe

Filesize
1009KB

MD5
f705f2423995b582b45409ea7f8d1c03

SHA1
71068ef97c9b9ae418c1c650a611973a99833bad

SHA256
1d16772f92b9286bc19dbbd4bb967d32dcea7c672faaa1801228ed6f7b896dbd

SHA512
d3f23a39473f47313471ff280a7878f190817660f9b29e1a2943f7d2ad233751e42ae9fcfb8ab8f0fe262076255087522e2257131d04166fc6028dfbb9d35e8b

Download Submit
\Windows\system\CTnzdFP.exe

Filesize
2.3MB

MD5
7be04b87b2c2812ded9ac66ad44f147c

SHA1
9bc54348889de75167635ac359bd319e515c9a12

SHA256
8c58b4cf7871939df13e7377e421a103fad336d268759f905b413372ffb07c31

SHA512
04f39c502550c83483512795b18a0b7c6c8dd0c6c5c3742ac27e9662d37167302d30d69788d5adf1083db2b83d2d615ba81cc14f02334581b63acba150f9f871

Download Submit
\Windows\system\CWfuoyE.exe

Filesize
2.1MB

MD5
f0d2b5c2e0a72b495b68fcb5be870b2c

SHA1
5f25510d277e6de2c25427cf98d24d83b07e4f0e

SHA256
d301a2207ecf738b9993b87b5de0f339aff5c1ef2859a72dfcdc3a43f3f4d727

SHA512
92d997d2548d9b30d745f008ac05787bc62dc8c48a5570a2bb321062c56f218ccffcd4ce7138aba39fefbe927916f0bf573b3cf4f7e7721a120fa023dfb271e3

Download Submit
\Windows\system\GEVxgte.exe

Filesize
374KB

MD5
b47baa56da6cfc51c725097826cea3fe

SHA1
f087b63cf1f6069e735cb863e27be307df29a52f

SHA256
013fb4f4d06837c1a5d72cd3eab4bdc72e81b0cb1c26fa1e6f432d500587fd84

SHA512
1bada5a1f6d423632b569c1548bb48c3aa3c81bb06bc109467cedf5e720eb26b37132ecb1a608cd4583c242baea2ebcd4e8c085d3cff91fdbb8458d7e769e927

Download Submit
\Windows\system\IXePJkz.exe

Filesize
2.2MB

MD5
49e11bb916742872312c292140d1f02b

SHA1
a0c071e6a2defb9949c457175cb6b87349b567d0

SHA256
0ef4be0fd87825861cbe1823183a38c239c818b246e632ac7dba7e19dc262051

SHA512
a5f66f888c1b27c8dc56a375ab0b17b059b529beb7512f05c8ba4fba63274ae9ac9d643eb4d33fe8f020831e8386faa39dbdf686c20bc5d0e78c14ac4d00d849

Download Submit
\Windows\system\JUODzff.exe

Filesize
3.0MB

MD5
f7f7aef566e83b30fb7d25ec7c351de6

SHA1
dd8e14626123e27a63d9d0bb3edf25beed6b51cf

SHA256
503811e09f58ab2c743c5e4a129e3bbcbcc3a559e0c8e0974ab1f4297541a38f

SHA512
b83c1b0035d7ecdcfac2666a0b1adcdf67d1b72a67be2fe2de2cb4db54e1f2cb1162d00510a967a7c8ecc20adddaaedf26d2c308fb1c803264082a0378ee1d61

Download Submit
\Windows\system\PLynuUc.exe

Filesize
45KB

MD5
177c83cd0446aa614b790e1368bc9f81

SHA1
d6060564b38e0230f9d002e541ba7009b4ff53d0

SHA256
4c70f23ba29ef2708fc5f1ea47027c7131a3800afae0b52fe34885fea59dcbc4

SHA512
0772de2f93893134f2b3801e16175559acb121dbce8ea97632164b7c765e55637d6b1158211ff89627ec8aeb1c3a897f4799415b2a2cde9234a873d8f5d6b3e3

Download Submit
\Windows\system\RaclgUH.exe

Filesize
1.5MB

MD5
6c115718901b9d764b003b821fd6766f

SHA1
42e90057befa45f169eb2556aec3bc28fd0d3a8a

SHA256
8566820c358c27863432d3c973f596346345119913bdaf94f57bf918aa3cb156

SHA512
80ccca5f8c482c2ad89afc50c29c6116960dc150fa1c30821a12769902d125f3df2e24a0b2e733b1673fc14e282a340aa220f6ca52ccea03187bc84d5fe57aa3

Download Submit
\Windows\system\TeIHrrJ.exe

Filesize
1.7MB

MD5
7c290ed7716fad653b7ecc8a776654dd

SHA1
d0e11d23d21483e2fbcba7c10be6a63499475243

SHA256
262f50ebc9bc03af50a4c5cc0f71c0a9e740b15d7ad3aabcd38e58a68d084ff8

SHA512
304644610414f6ce2caa4e18a4f848e870d07a423605c57e90d50cf6a1ea13f2d97cb08c96b29f0419f11a90518c8efa06e53e545238b5de678b99c37a73b40f

Download Submit
\Windows\system\cPiszkf.exe

Filesize
2.4MB

MD5
219b41e5c96b75a0a162d483384a732b

SHA1
3f99a191eff6cf27121f895da73a547cde9d5728

SHA256
140562dbfa5e0b7691697f9f16f7815d58826e970e6729bc47a59330a26be088

SHA512
f88eea4865ff46358f37f83375ea6c22b5cf457ec4797e8c0980e4d15c7ec5c1367e43d6630f1e249ebe4288ab27ac76a1090c3433174057f99a8691c0c0c036

Download Submit
\Windows\system\fEsyCqQ.exe

Filesize
933KB

MD5
a7edc602a8d7b2a6a2e923d0dd708b04

SHA1
e6480161cdbb8955254cfeda5d0465da0a2ed4aa

SHA256
097155e06410272dbf332434b27abe21e2e96cdccf07c6209bfdd21705c24bad

SHA512
e287f59a5f986ef7ef55aa2289e2b6de5ef2bee96e460e56e9612c0fff3d480c0bbdd3eee196958ecc1ffa1d145937e0292c5fd2f6157c305684edfaba68272c

Download Submit
\Windows\system\iEbqwiW.exe

Filesize
88KB

MD5
e80955d0c553e48088812213c89eec58

SHA1
8119ab808ebe2a11832dce00cfac593a74f433a0

SHA256
eaca4f0d9eeea233d8189052272d3e2c6baff73758140be8f9cf484a5ace2619

SHA512
86f9d17f98f7008baeaba8e2bde2387d05efcec0bb32a51e2e916d405c736e296ef62ef26f1b38eaaec99fbb3c6fe961ea807fd9b5ebe943fad097686fd968c0

Download Submit
\Windows\system\jSXbWxm.exe

Filesize
1.5MB

MD5
b8a6559af8463880ee84c9e36d15e6c8

SHA1
7e115a3923ecec83712a48ad904d38212229f85b

SHA256
3989b84ed669b3177a163fd0e0887661d7af7113c96af0a203f7c24f14f7947a

SHA512
7ccbc993b6dd738679997f2a67ff0c85f02dd8508ddebc07d5153c20258ecb11fdbe67a108538dd1855df1906796a27a19efd605d87ffe9c9b31a8a59f4ad023

Download Submit
\Windows\system\kJDzlbP.exe

Filesize
2.1MB

MD5
675344eb7e569c4cdc8c16f9dfcbdafa

SHA1
a79cf3a1a4bcefeaacca45ba931c1fd7431177c2

SHA256
92a42bd67e1afdd977afdb4fecd3e9a6468c883ef0dfad69c546340ea562047a

SHA512
54aa14ff948f2a8161127f1c96c34f750478d6deeeaabe7d14feeeb3fb610d21f72f4d6390f749edb8ded57dbcabcab770e7cf30900ea423149e0a8da1eb9bdb

Download Submit
\Windows\system\kntkbPL.exe

Filesize
1.3MB

MD5
9acd86d2a18b3772d4f8eb81e3663db4

SHA1
f6bd1f191d7b2aa4685f15dc036c4dd961fd55ca

SHA256
5a3cc6c42afecad46ed742f7c3b8e1e12a197634daf646d53cf021144d95f56d

SHA512
f5d0c4b2e88a3b8602a4fde25f9a1377d6b45bfab7b91265d4d5802fc8f212861bdec47342835671bc4b9009293071d63e740f3325e3e6fd61339f0bfcd94dd1

Download Submit
\Windows\system\nzRCnaw.exe

Filesize
1.9MB

MD5
9f758f83a1b0c1a340606a0400bbcccd

SHA1
849fbc19bdfcef6e443088ff89ee4af6ac4e14a6

SHA256
00ca64e03b5581882f609d0b1d51bc2cc09aec500d0c10a63c62d92bf9171c4d

SHA512
5b37c553a438af0f490fc7764235db65ab92b1fda477866bd138d25e70bc64311f0737205c2c0c2844ade9d7a113aebe5fd271931c03ab04f7e633dbe98d829b

Download Submit
\Windows\system\oxePdcV.exe

Filesize
2.1MB

MD5
1b076b96f9f8e0bc4bd7934b4262a5e7

SHA1
e2343708c466eaad5cb1a6f3c1f511cf1a0db442

SHA256
b195f017a60b3efebb1157f5fcda058653756770308660f931dd2623d0480601

SHA512
0cc9b16caeed30a7851dc1a05c213770ea42e09640564600e591baa41319c014f744bf872c4e24474d12194b72e54a0fcf10d3a991895cda6b7ea6c791089f29

Download Submit
\Windows\system\qdxDzXV.exe

Filesize
2.5MB

MD5
95af753557d7617a1ef9cf8659be8d26

SHA1
21832fe21f1d58c8e02d55590d482338e55ae16d

SHA256
1d3aefdb5c4d02f54361a2a512f23c944c9fa7b15454dabf4a22e73d2445ca49

SHA512
f7336c06a1ddc455830d40d4fbd692dd7aed61559feb6789b7d393bc57af05df7e73cf870bea90a2325e0ac233b4e6c0f136fae3128a2eed4d86a5711a5ec107

Download Submit
\Windows\system\ujfqgSf.exe

Filesize
1.9MB

MD5
2f6b44155404992fa48ae6c30ff6fe04

SHA1
becccb29da370f8a404d57382b3722daf5c99156

SHA256
d64c4ce3d3c3f4907eb064105ad2c47b54f039fd1d854b11401374b0f8c210f0

SHA512
44da7ebf5790263d1ba9e570c7a67e3fc0bb51b794d0428d1f4cb5c1b95f380379a17d36462865baa1927ad28b13432eef949514b709185e5cc3bed9c28676a2

Download Submit
\Windows\system\uoRCTaa.exe

Filesize
557KB

MD5
36a38cc6cb1be6635d14b42d71514e00

SHA1
a04e9f25137609ae02d72a75c0a5a16933365629

SHA256
5bb34dd115322264a7af6a4c595983ae136a19fa28174be05aa05d678f305caf

SHA512
15ce018333c14f74d1029d9274456b51871d817352463f958dcc34a7a2809ef1eb1a9911c4bd860fc2d8babf1ec95d6b769bcbd88b92881e699fe8322602649e

Download Submit
\Windows\system\vlPIUQe.exe

Filesize
2.2MB

MD5
4859c52fff286fce9071b0cb247dc75e

SHA1
00badca753bc6d49b156e9dcd2aa8088ce1332fe

SHA256
f447458a0b0cab668b797e464287f736afa2ab3e071f51096a51dc96df94b591

SHA512
9e3e098a427713e2ef6a9a6b2b075f94ae7623606afd7e2cc29ce5ef9743ef4cadab02947c95d1777f1532168eb100e12a5bb53d95bdbf45616a36cb9eeef1f2

Download Submit
\Windows\system\yLDNgGr.exe

Filesize
747KB

MD5
2be65b748c68e818b5e374defd29c8a6

SHA1
1754c84ab1bd22f81fc4f047f85f1e9101d5ac8b

SHA256
cb272bfabbce5962b23f7455d73ef9b66833631a1ad8279fc3d62e9d26da8f0e

SHA512
a648478a3e315c6aa6febb22d3f39875996603d5edc2c3ca9f1d9a4a3382087bb65e81f67ae9b8936fd70e5b784ae3e90b224a8de942d0c6117854a01029460e

Download Submit
memory/1040-99-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/1040-155-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/1040-246-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/1052-142-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/1052-264-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/1180-254-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/1180-127-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-251-0x000000013F290000-0x000000013F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-126-0x000000013F290000-0x000000013F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/1572-138-0x000000013F780000-0x000000013FAD1000-memory.dmp

Filesize
3.3MB

Download
memory/1572-255-0x000000013F780000-0x000000013FAD1000-memory.dmp

Filesize
3.3MB

Download
memory/1600-262-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/1600-134-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/1620-245-0x000000013F9C0000-0x000000013FD11000-memory.dmp

Filesize
3.3MB

Download
memory/1620-117-0x000000013F9C0000-0x000000013FD11000-memory.dmp

Filesize
3.3MB

Download
memory/1728-143-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/1728-266-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/1800-249-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/1800-125-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/1988-231-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/1988-60-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2148-129-0x000000013F750000-0x000000013FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2148-258-0x000000013F750000-0x000000013FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-130-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-260-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-256-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2392-128-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2512-9-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2512-216-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2512-146-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2548-218-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2548-40-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2556-228-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2556-49-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2556-152-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2580-42-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2580-226-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2628-223-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download
memory/2628-32-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download
memory/2656-224-0x000000013F280000-0x000000013F5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2656-41-0x000000013F280000-0x000000013F5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2752-38-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2752-222-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2824-242-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2824-63-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2848-29-0x00000000022E0000-0x0000000002631000-memory.dmp

Filesize
3.3MB

Download
memory/2848-78-0x00000000022E0000-0x0000000002631000-memory.dmp

Filesize
3.3MB

Download
memory/2848-144-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2848-145-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2848-14-0x00000000022E0000-0x0000000002631000-memory.dmp

Filesize
3.3MB

Download
memory/2848-189-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2848-48-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2848-55-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2848-62-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2848-167-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2848-33-0x00000000022E0000-0x0000000002631000-memory.dmp

Filesize
3.3MB

Download
memory/2848-190-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/2848-112-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2848-106-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/2848-123-0x00000000022E0000-0x0000000002631000-memory.dmp

Filesize
3.3MB

Download
memory/2848-132-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/2848-141-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2848-140-0x00000000022E0000-0x0000000002631000-memory.dmp

Filesize
3.3MB

Download
memory/2848-7-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2848-139-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2848-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2848-0-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2848-136-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download