cobaltstrike | cf4795cb6c6cf5fe7abdc967d195eb8f700bbc5ff589430004e04b64f5661fb0

Analysis

max time kernel
136s
max time network
146s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 00:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

33979fc1c6a2ab8bb5a0821cc819f422
SHA1

16c824607f1c1a46c82fad9e16ec90c2018110ef
SHA256

cf4795cb6c6cf5fe7abdc967d195eb8f700bbc5ff589430004e04b64f5661fb0
SHA512

d43f7f11d7446679848da576fec8566cacfe4325fefd7cf977112d2aae2fbba7d527e9b561a398bcc89ecebfe2c3cd50a081dc98677328c867855c27cdf64e63
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUU:E+b56utgpPF8u/7U

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 40 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a000000012252-3.dat	cobalt_reflective_dll
behavioral1/files/0x000a000000012252-7.dat	cobalt_reflective_dll
behavioral1/files/0x000d00000001231c-12.dat	cobalt_reflective_dll
behavioral1/files/0x000d00000001231c-10.dat	cobalt_reflective_dll
behavioral1/files/0x0031000000014502-17.dat	cobalt_reflective_dll
behavioral1/files/0x0031000000014502-13.dat	cobalt_reflective_dll
behavioral1/files/0x0031000000014502-19.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000149e1-26.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000149e1-24.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014b10-33.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014b10-30.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014b36-40.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014b36-38.dat	cobalt_reflective_dll
behavioral1/files/0x0031000000014588-47.dat	cobalt_reflective_dll
behavioral1/files/0x0031000000014588-44.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014ba7-52.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014ba7-50.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c93-60.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cb0-70.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cce-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ce3-94.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d0c-104.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d0c-107.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cf5-101.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cf5-125.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d4c-122.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d4c-132.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d24-129.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d24-115.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d44-118.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cd9-109.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cbd-99.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ce3-97.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cbd-79.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cce-86.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c93-68.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cb0-67.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c9c-63.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014dae-59.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014dae-55.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 40 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012252-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000a000000012252-7.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000d00000001231c-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000d00000001231c-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0031000000014502-17.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0031000000014502-13.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0031000000014502-19.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000149e1-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000149e1-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014b10-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014b10-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014b36-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014b36-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0031000000014588-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0031000000014588-44.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014ba7-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014ba7-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015c93-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cb0-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cce-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ce3-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d0c-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d0c-107.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cf5-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cf5-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d4c-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d4c-132.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d24-129.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d24-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d44-118.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cd9-109.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cbd-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ce3-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cbd-79.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cce-86.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015c93-68.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cb0-67.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015c9c-63.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014dae-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014dae-55.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral1/memory/2200-0-0x000000013FB50000-0x000000013FEA4000-memory.dmp	UPX
behavioral1/files/0x000a000000012252-3.dat	UPX
behavioral1/memory/2376-9-0x000000013F500000-0x000000013F854000-memory.dmp	UPX
behavioral1/files/0x000a000000012252-7.dat	UPX
behavioral1/files/0x000d00000001231c-12.dat	UPX
behavioral1/files/0x000d00000001231c-10.dat	UPX
behavioral1/memory/2632-16-0x000000013FE20000-0x0000000140174000-memory.dmp	UPX
behavioral1/files/0x0031000000014502-17.dat	UPX
behavioral1/files/0x0031000000014502-13.dat	UPX
behavioral1/files/0x0031000000014502-19.dat	UPX
behavioral1/memory/2584-23-0x000000013F660000-0x000000013F9B4000-memory.dmp	UPX
behavioral1/files/0x00070000000149e1-26.dat	UPX
behavioral1/files/0x00070000000149e1-24.dat	UPX
behavioral1/memory/2688-36-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
behavioral1/memory/2436-34-0x000000013F0E0000-0x000000013F434000-memory.dmp	UPX
behavioral1/files/0x0007000000014b10-33.dat	UPX
behavioral1/files/0x0007000000014b10-30.dat	UPX
behavioral1/files/0x0007000000014b36-40.dat	UPX
behavioral1/files/0x0007000000014b36-38.dat	UPX
behavioral1/memory/2672-43-0x000000013F6D0000-0x000000013FA24000-memory.dmp	UPX
behavioral1/files/0x0031000000014588-47.dat	UPX
behavioral1/memory/2460-49-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/files/0x0031000000014588-44.dat	UPX
behavioral1/files/0x0009000000014ba7-52.dat	UPX
behavioral1/files/0x0009000000014ba7-50.dat	UPX
behavioral1/files/0x0006000000015c93-60.dat	UPX
behavioral1/files/0x0006000000015cb0-70.dat	UPX
behavioral1/memory/2288-77-0x000000013F250000-0x000000013F5A4000-memory.dmp	UPX
behavioral1/files/0x0006000000015cce-82.dat	UPX
behavioral1/files/0x0006000000015ce3-94.dat	UPX
behavioral1/files/0x0006000000015d0c-104.dat	UPX
behavioral1/files/0x0006000000015d0c-107.dat	UPX
behavioral1/memory/1192-112-0x000000013FD30000-0x0000000140084000-memory.dmp	UPX
behavioral1/files/0x0006000000015cf5-101.dat	UPX
behavioral1/files/0x0006000000015cf5-125.dat	UPX
behavioral1/memory/1428-127-0x000000013FC30000-0x000000013FF84000-memory.dmp	UPX
behavioral1/files/0x0006000000015d4c-122.dat	UPX
behavioral1/memory/1592-134-0x000000013FB70000-0x000000013FEC4000-memory.dmp	UPX
behavioral1/memory/1904-136-0x000000013F730000-0x000000013FA84000-memory.dmp	UPX
behavioral1/memory/2132-138-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/memory/1144-139-0x000000013FED0000-0x0000000140224000-memory.dmp	UPX
behavioral1/memory/1600-141-0x000000013FD90000-0x00000001400E4000-memory.dmp	UPX
behavioral1/memory/1256-142-0x000000013F140000-0x000000013F494000-memory.dmp	UPX
behavioral1/files/0x0006000000015d4c-132.dat	UPX
behavioral1/files/0x0006000000015d24-129.dat	UPX
behavioral1/memory/2364-128-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/files/0x0006000000015d24-115.dat	UPX
behavioral1/files/0x0006000000015d44-118.dat	UPX
behavioral1/memory/2332-111-0x000000013F9B0000-0x000000013FD04000-memory.dmp	UPX
behavioral1/files/0x0006000000015cd9-109.dat	UPX
behavioral1/files/0x0006000000015cbd-99.dat	UPX
behavioral1/files/0x0006000000015ce3-97.dat	UPX
behavioral1/files/0x0006000000015cbd-79.dat	UPX
behavioral1/memory/2308-89-0x000000013FCD0000-0x0000000140024000-memory.dmp	UPX
behavioral1/memory/2164-88-0x000000013FBD0000-0x000000013FF24000-memory.dmp	UPX
behavioral1/files/0x0006000000015cce-86.dat	UPX
behavioral1/memory/3012-78-0x000000013F720000-0x000000013FA74000-memory.dmp	UPX
behavioral1/files/0x0006000000015c93-68.dat	UPX
behavioral1/files/0x0006000000015cb0-67.dat	UPX
behavioral1/files/0x0006000000015c9c-63.dat	UPX
behavioral1/files/0x0009000000014dae-59.dat	UPX
behavioral1/memory/2200-58-0x000000013FB50000-0x000000013FEA4000-memory.dmp	UPX
behavioral1/files/0x0009000000014dae-55.dat	UPX
behavioral1/memory/2376-143-0x000000013F500000-0x000000013F854000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/2200-0-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/files/0x000a000000012252-3.dat	xmrig
behavioral1/memory/2376-9-0x000000013F500000-0x000000013F854000-memory.dmp	xmrig
behavioral1/files/0x000a000000012252-7.dat	xmrig
behavioral1/files/0x000d00000001231c-12.dat	xmrig
behavioral1/files/0x000d00000001231c-10.dat	xmrig
behavioral1/memory/2632-16-0x000000013FE20000-0x0000000140174000-memory.dmp	xmrig
behavioral1/files/0x0031000000014502-17.dat	xmrig
behavioral1/files/0x0031000000014502-13.dat	xmrig
behavioral1/files/0x0031000000014502-19.dat	xmrig
behavioral1/memory/2584-23-0x000000013F660000-0x000000013F9B4000-memory.dmp	xmrig
behavioral1/files/0x00070000000149e1-26.dat	xmrig
behavioral1/files/0x00070000000149e1-24.dat	xmrig
behavioral1/memory/2688-36-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/2200-37-0x00000000023E0000-0x0000000002734000-memory.dmp	xmrig
behavioral1/memory/2436-34-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
behavioral1/files/0x0007000000014b10-33.dat	xmrig
behavioral1/files/0x0007000000014b10-30.dat	xmrig
behavioral1/files/0x0007000000014b36-40.dat	xmrig
behavioral1/files/0x0007000000014b36-38.dat	xmrig
behavioral1/memory/2672-43-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/files/0x0031000000014588-47.dat	xmrig
behavioral1/memory/2460-49-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/files/0x0031000000014588-44.dat	xmrig
behavioral1/files/0x0009000000014ba7-52.dat	xmrig
behavioral1/files/0x0009000000014ba7-50.dat	xmrig
behavioral1/files/0x0006000000015c93-60.dat	xmrig
behavioral1/files/0x0006000000015cb0-70.dat	xmrig
behavioral1/memory/2288-77-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cce-82.dat	xmrig
behavioral1/files/0x0006000000015ce3-94.dat	xmrig
behavioral1/files/0x0006000000015d0c-104.dat	xmrig
behavioral1/files/0x0006000000015d0c-107.dat	xmrig
behavioral1/memory/1192-112-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/2200-113-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cf5-101.dat	xmrig
behavioral1/files/0x0006000000015cf5-125.dat	xmrig
behavioral1/memory/1428-127-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/files/0x0006000000015d4c-122.dat	xmrig
behavioral1/memory/1592-134-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/memory/1904-136-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/memory/2132-138-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/1144-139-0x000000013FED0000-0x0000000140224000-memory.dmp	xmrig
behavioral1/memory/1600-141-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/memory/1256-142-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/memory/2200-140-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/2200-137-0x000000013F720000-0x000000013FA74000-memory.dmp	xmrig
behavioral1/memory/2200-135-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/files/0x0006000000015d4c-132.dat	xmrig
behavioral1/files/0x0006000000015d24-129.dat	xmrig
behavioral1/memory/2364-128-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015d24-115.dat	xmrig
behavioral1/files/0x0006000000015d44-118.dat	xmrig
behavioral1/memory/2332-111-0x000000013F9B0000-0x000000013FD04000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cd9-109.dat	xmrig
behavioral1/memory/2200-90-0x000000013FED0000-0x0000000140224000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cbd-99.dat	xmrig
behavioral1/files/0x0006000000015ce3-97.dat	xmrig
behavioral1/files/0x0006000000015cbd-79.dat	xmrig
behavioral1/memory/2308-89-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/memory/2164-88-0x000000013FBD0000-0x000000013FF24000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cce-86.dat	xmrig
behavioral1/memory/3012-78-0x000000013F720000-0x000000013FA74000-memory.dmp	xmrig
behavioral1/memory/2200-76-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2376	VomGERC.exe
2632	XKGVgWl.exe
2584	YmJIbQj.exe
2436	buZOFKW.exe
2688	FzmowgI.exe
2672	VTYYLOI.exe
2460	CUuMBIV.exe
2288	ukQMGII.exe
3012	HuWdCLA.exe
2164	KRBznqv.exe
2308	AxUUKae.exe
2132	biEFOpV.exe
1144	MonlZoR.exe
2332	fOCHqwj.exe
1192	pUMgPmV.exe
1428	ZxDmxKq.exe
2364	mOPouBv.exe
1592	wWZxyvc.exe
1904	tFWKWei.exe
1600	ZxzQiEW.exe
1256	FKlBljt.exe

Loads dropped DLL 21 IoCs

pid	Process
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2200-0-0x000000013FB50000-0x000000013FEA4000-memory.dmp	upx
behavioral1/files/0x000a000000012252-3.dat	upx
behavioral1/memory/2376-9-0x000000013F500000-0x000000013F854000-memory.dmp	upx
behavioral1/files/0x000a000000012252-7.dat	upx
behavioral1/files/0x000d00000001231c-12.dat	upx
behavioral1/files/0x000d00000001231c-10.dat	upx
behavioral1/memory/2632-16-0x000000013FE20000-0x0000000140174000-memory.dmp	upx
behavioral1/files/0x0031000000014502-17.dat	upx
behavioral1/files/0x0031000000014502-13.dat	upx
behavioral1/files/0x0031000000014502-19.dat	upx
behavioral1/memory/2584-23-0x000000013F660000-0x000000013F9B4000-memory.dmp	upx
behavioral1/files/0x00070000000149e1-26.dat	upx
behavioral1/files/0x00070000000149e1-24.dat	upx
behavioral1/memory/2688-36-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/memory/2436-34-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx
behavioral1/files/0x0007000000014b10-33.dat	upx
behavioral1/files/0x0007000000014b10-30.dat	upx
behavioral1/files/0x0007000000014b36-40.dat	upx
behavioral1/files/0x0007000000014b36-38.dat	upx
behavioral1/memory/2672-43-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/files/0x0031000000014588-47.dat	upx
behavioral1/memory/2460-49-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/files/0x0031000000014588-44.dat	upx
behavioral1/files/0x0009000000014ba7-52.dat	upx
behavioral1/files/0x0009000000014ba7-50.dat	upx
behavioral1/files/0x0006000000015c93-60.dat	upx
behavioral1/files/0x0006000000015cb0-70.dat	upx
behavioral1/memory/2288-77-0x000000013F250000-0x000000013F5A4000-memory.dmp	upx
behavioral1/files/0x0006000000015cce-82.dat	upx
behavioral1/files/0x0006000000015ce3-94.dat	upx
behavioral1/files/0x0006000000015d0c-104.dat	upx
behavioral1/files/0x0006000000015d0c-107.dat	upx
behavioral1/memory/1192-112-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/files/0x0006000000015cf5-101.dat	upx
behavioral1/files/0x0006000000015cf5-125.dat	upx
behavioral1/memory/1428-127-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/files/0x0006000000015d4c-122.dat	upx
behavioral1/memory/1592-134-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/memory/1904-136-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/memory/2132-138-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/1144-139-0x000000013FED0000-0x0000000140224000-memory.dmp	upx
behavioral1/memory/1600-141-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/memory/1256-142-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/files/0x0006000000015d4c-132.dat	upx
behavioral1/files/0x0006000000015d24-129.dat	upx
behavioral1/memory/2364-128-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/files/0x0006000000015d24-115.dat	upx
behavioral1/files/0x0006000000015d44-118.dat	upx
behavioral1/memory/2332-111-0x000000013F9B0000-0x000000013FD04000-memory.dmp	upx
behavioral1/files/0x0006000000015cd9-109.dat	upx
behavioral1/files/0x0006000000015cbd-99.dat	upx
behavioral1/files/0x0006000000015ce3-97.dat	upx
behavioral1/files/0x0006000000015cbd-79.dat	upx
behavioral1/memory/2308-89-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/memory/2164-88-0x000000013FBD0000-0x000000013FF24000-memory.dmp	upx
behavioral1/files/0x0006000000015cce-86.dat	upx
behavioral1/memory/3012-78-0x000000013F720000-0x000000013FA74000-memory.dmp	upx
behavioral1/files/0x0006000000015c93-68.dat	upx
behavioral1/files/0x0006000000015cb0-67.dat	upx
behavioral1/files/0x0006000000015c9c-63.dat	upx
behavioral1/files/0x0009000000014dae-59.dat	upx
behavioral1/memory/2200-58-0x000000013FB50000-0x000000013FEA4000-memory.dmp	upx
behavioral1/files/0x0009000000014dae-55.dat	upx
behavioral1/memory/2376-143-0x000000013F500000-0x000000013F854000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ukQMGII.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KRBznqv.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\biEFOpV.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MonlZoR.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VomGERC.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YmJIbQj.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FzmowgI.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VTYYLOI.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\buZOFKW.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pUMgPmV.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZxzQiEW.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FKlBljt.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XKGVgWl.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CUuMBIV.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fOCHqwj.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tFWKWei.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wWZxyvc.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HuWdCLA.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AxUUKae.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mOPouBv.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZxDmxKq.exe	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2376	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	29
PID 2200 wrote to memory of 2376	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	29
PID 2200 wrote to memory of 2376	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	29
PID 2200 wrote to memory of 2632	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	30
PID 2200 wrote to memory of 2632	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	30
PID 2200 wrote to memory of 2632	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	30
PID 2200 wrote to memory of 2584	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	31
PID 2200 wrote to memory of 2584	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	31
PID 2200 wrote to memory of 2584	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	31
PID 2200 wrote to memory of 2436	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	32
PID 2200 wrote to memory of 2436	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	32
PID 2200 wrote to memory of 2436	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	32
PID 2200 wrote to memory of 2688	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	33
PID 2200 wrote to memory of 2688	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	33
PID 2200 wrote to memory of 2688	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	33
PID 2200 wrote to memory of 2672	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	34
PID 2200 wrote to memory of 2672	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	34
PID 2200 wrote to memory of 2672	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	34
PID 2200 wrote to memory of 2460	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	35
PID 2200 wrote to memory of 2460	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	35
PID 2200 wrote to memory of 2460	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	35
PID 2200 wrote to memory of 2288	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	36
PID 2200 wrote to memory of 2288	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	36
PID 2200 wrote to memory of 2288	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	36
PID 2200 wrote to memory of 3012	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	37
PID 2200 wrote to memory of 3012	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	37
PID 2200 wrote to memory of 3012	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	37
PID 2200 wrote to memory of 2164	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	38
PID 2200 wrote to memory of 2164	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	38
PID 2200 wrote to memory of 2164	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	38
PID 2200 wrote to memory of 2132	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	39
PID 2200 wrote to memory of 2132	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	39
PID 2200 wrote to memory of 2132	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	39
PID 2200 wrote to memory of 2308	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	40
PID 2200 wrote to memory of 2308	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	40
PID 2200 wrote to memory of 2308	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	40
PID 2200 wrote to memory of 1192	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	41
PID 2200 wrote to memory of 1192	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	41
PID 2200 wrote to memory of 1192	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	41
PID 2200 wrote to memory of 1144	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	42
PID 2200 wrote to memory of 1144	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	42
PID 2200 wrote to memory of 1144	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	42
PID 2200 wrote to memory of 2364	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	43
PID 2200 wrote to memory of 2364	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	43
PID 2200 wrote to memory of 2364	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	43
PID 2200 wrote to memory of 2332	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	44
PID 2200 wrote to memory of 2332	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	44
PID 2200 wrote to memory of 2332	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	44
PID 2200 wrote to memory of 1904	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	45
PID 2200 wrote to memory of 1904	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	45
PID 2200 wrote to memory of 1904	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	45
PID 2200 wrote to memory of 1428	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	46
PID 2200 wrote to memory of 1428	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	46
PID 2200 wrote to memory of 1428	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	46
PID 2200 wrote to memory of 1600	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	47
PID 2200 wrote to memory of 1600	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	47
PID 2200 wrote to memory of 1600	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	47
PID 2200 wrote to memory of 1592	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	48
PID 2200 wrote to memory of 1592	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	48
PID 2200 wrote to memory of 1592	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	48
PID 2200 wrote to memory of 1256	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	49
PID 2200 wrote to memory of 1256	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	49
PID 2200 wrote to memory of 1256	2200	2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-13_33979fc1c6a2ab8bb5a0821cc819f422_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\System\VomGERC.exe
  C:\Windows\System\VomGERC.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\XKGVgWl.exe
  C:\Windows\System\XKGVgWl.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\YmJIbQj.exe
  C:\Windows\System\YmJIbQj.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\buZOFKW.exe
  C:\Windows\System\buZOFKW.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\FzmowgI.exe
  C:\Windows\System\FzmowgI.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\VTYYLOI.exe
  C:\Windows\System\VTYYLOI.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\CUuMBIV.exe
  C:\Windows\System\CUuMBIV.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\ukQMGII.exe
  C:\Windows\System\ukQMGII.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\HuWdCLA.exe
  C:\Windows\System\HuWdCLA.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\KRBznqv.exe
  C:\Windows\System\KRBznqv.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\biEFOpV.exe
  C:\Windows\System\biEFOpV.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\AxUUKae.exe
  C:\Windows\System\AxUUKae.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\pUMgPmV.exe
  C:\Windows\System\pUMgPmV.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System\MonlZoR.exe
  C:\Windows\System\MonlZoR.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System\mOPouBv.exe
  C:\Windows\System\mOPouBv.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\fOCHqwj.exe
  C:\Windows\System\fOCHqwj.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\tFWKWei.exe
  C:\Windows\System\tFWKWei.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\ZxDmxKq.exe
  C:\Windows\System\ZxDmxKq.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System\ZxzQiEW.exe
  C:\Windows\System\ZxzQiEW.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\wWZxyvc.exe
  C:\Windows\System\wWZxyvc.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System\FKlBljt.exe
  C:\Windows\System\FKlBljt.exe
  2⤵
  - Executes dropped EXE
  PID:1256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AxUUKae.exe

Filesize
467KB

MD5
bb5bbed322083e68706216db48ce3515

SHA1
2d7e6821015ae7c6ff4b8cc2b85a0bc6a45e4ac8

SHA256
5925a318bc22e0885614b2ce1287361d07896122d376a27facb8d7205a14dbfb

SHA512
25ba9e09b80e933e229cb0145d37750084783e290ab53d2afcdc6223b807e4c1f60a40372c23d0a3b36cfd4cefb90e94baea5ffd3e1eff4ddda977825cef68cb

Download Submit
C:\Windows\system\CUuMBIV.exe

Filesize
45KB

MD5
533b14a7adb756ed077f454d4c85a009

SHA1
764d820f56788d8b0db7a3991e47ab533a6062e7

SHA256
814bc935ebeb72c142ecf8ed98f24b30183721ecb86d79a0831190fccea2868e

SHA512
36e0d4148a30799ec46cf33301c629990d5546efeb7622eec80ba02c28b291572ed9a736bf76fea23967921eefec5d7b399331662d63954dd27b16688545c4cc

Download Submit
C:\Windows\system\FKlBljt.exe

Filesize
325KB

MD5
c1adad048c77bb4fdffa0fe2dc1cd48c

SHA1
18d81aabae51fd52f3be4d7e21f64a1cf35f67b7

SHA256
c2dc49c373cbc3b9d1f818b794133e4862f8f358e262a548220a804d50cd5866

SHA512
4ae1985c279fd4df1e068813a79d7e05f92e7b3fc5e63b862a27a212bcbc09c400b53beccf31dfc406f5e45c03917a1b12f8735cb4ea1e718f4aad6943284c50

Download Submit
C:\Windows\system\FzmowgI.exe

Filesize
315KB

MD5
6ecbe59772c12bb5bfe17f000c57962d

SHA1
27d9c6cc3d7e4e62ae7a74d9702d3092cbe1e27a

SHA256
fea71dfc1e82d78d662b1e7cd7b337083bbf8b532618b843dd6144ce731c3cf7

SHA512
63419bdf7d7712593ae9a071c21032aa5c94c3add2cabf44adc43f7b93a82042fd1d8a38702f13b8fe4352871082a8c0b8ace238bce8ed50afb3abc9777792da

Download Submit
C:\Windows\system\HuWdCLA.exe

Filesize
651KB

MD5
d175cb62c4294430eef6164e29e087ba

SHA1
d721f773f7ed431af30ba22a6bfaeac0458898d6

SHA256
506614f731268a269705966e251c48ae92c73002ac41e86667ad81b6432a88ad

SHA512
787bf1e8f101af9ae776dab59199b13d0946eb2befd813cdb0092a6dd23fd6728704726f2a9c940c48c304d5af05d19e7e573dc42e43e2541f7ef875cfb76e20

Download Submit
C:\Windows\system\KRBznqv.exe

Filesize
688KB

MD5
065308108b92644f7a0de106d47899a9

SHA1
4eed044fcbcd8d1b20de8a186021ea7ba5420ff0

SHA256
efb17126ac4280c672320a109a2c83bdbec1c2cdc654f15f4490b31016d27ed4

SHA512
c9eea60b9946071737a6f55fcd64d55ea5c735e4a3139f1540953c0f6d3145c5bf4501c0b5aef58f8f4ba408a15dac05f4be4e9a3140efb9a48a38f14347a093

Download Submit
C:\Windows\system\MonlZoR.exe

Filesize
1.2MB

MD5
64d34bd64a7711262a745b99c5734278

SHA1
8f98974c7cafd7c47cdd6411df8c4fffdcd9e34a

SHA256
20e17a257c3d5492a9f10a6704ce0191a0da5ee8bb10488e54c31e0c40ffecb3

SHA512
5f735abe343f67b61ad21663f0b1ae612d2bac8f7afb84901092990f3b2eed8d24e15e1dc30dfc9bfee1f07a6061c672abd4ed52e1fd60cd7d6fe82ce1aeb75c

Download Submit
C:\Windows\system\VTYYLOI.exe

Filesize
139KB

MD5
f161422e97c817275b7a29e31c532c1e

SHA1
4666d192e4cda1f062f3a6880b4d783a0bafbe51

SHA256
05d3e40c6bdee2fa1b19945342eb11d66f9a2eafd28069552254d0acd414649d

SHA512
9379f0ce0db11fd50e3a46ba96e293bd12a28985b052e32e6e72d9873894d60800417d14b70e98f171cfdf46ea1cbada3008e4715b03293da3f672fb3a487c9f

Download Submit
C:\Windows\system\VomGERC.exe

Filesize
1.2MB

MD5
3f97edfccccc06c28379ea7e9e0e5a07

SHA1
05a1549595b27b89cb05d5f87497bde0c1e04c8e

SHA256
d726fbd46942202eabf6450932a4ea39a016a0664365ca6fa4b4186dadffe032

SHA512
d572f509a9e3e5bd4afb45af8ba28a17df32152222c44b5693d225bfd13d6051ebbb41123d06495c57e73f9937f3bc13e26deb8e859e83a516dd4fa34ff0464f

Download Submit
C:\Windows\system\XKGVgWl.exe

Filesize
857KB

MD5
4aa7caf98fba427a53830dea734a6d5c

SHA1
8f515139a4385ce6c9c0efc6c9508dc10e7141cc

SHA256
5e12cea7debdb452df92789f185a10d42dc0d5b1e055a51e24e1951de3dc21b5

SHA512
709ef85653fa12e0ab4553b0116fa8ee9d78348b1d04518b9cb1e1c2da88a29db8922cfe48db95fd52e7be1df2e4eddb325a82d724c32b678ad78df8092b288d

Download Submit
C:\Windows\system\YmJIbQj.exe

Filesize
729KB

MD5
c01ab104678aea8f2a7a34e650370fb7

SHA1
f7e6b1513106566d2844c625dab332974500cf16

SHA256
4f646a8b738a934901a1266a9c6bff28d371c1990c98d4ed70c84d0bddf8d903

SHA512
6067cc4c5dae833209dccf35d3dead0b1c3797bb60e8cf4d189faec3d865d2de307b76d11eaf93d09891dc9e8c0a1b897e305ba45eec1ceff1d24ceb43720053

Download Submit
C:\Windows\system\YmJIbQj.exe

Filesize
768KB

MD5
e2ae64d49dc6c3e2bbf4fb6840c43f95

SHA1
7fc2c205a731471bc0cfdb99ce6969ef297905e5

SHA256
d654f9874f4879ae6117d31238c8d373f9d343c210e126bd2cbb7cb9125e19ef

SHA512
204ef8f8a80c2a28a53bd03f3d14ac34a2f6dbebdafe610cfedb4fd5a8cde1a17f234abaec1fd0a95a74eecc573c49a378d3c5c2dfec32b122a6b129eb7fab9a

Download Submit
C:\Windows\system\ZxDmxKq.exe

Filesize
86KB

MD5
0c0c2cfb4cbdd06a48bbcc2efedc66c2

SHA1
37eb68469a991a3e4ffaf7cd0595225e87de7954

SHA256
c78beb55e0e1d0c7e8b930812508a114ae93f96095d323f1740ee0cc3450a674

SHA512
70ddef5e9039ea58ac98125c228dcacbeea10d0d5d3bee8cf92f706b6e97028e79ba9a0887e1fcbff2e81376e7e066654e7f2af611d80c633aeab01003fc2d75

Download Submit
C:\Windows\system\ZxzQiEW.exe

Filesize
277KB

MD5
503d5a32af5a4dd2d955c52a9d636ce5

SHA1
dd1306d817bdbb3c766b2f52898e624e253b3ef2

SHA256
3a9232c223824d89e99b1f92466e3f481df94f51b473579051a0b05ef342875c

SHA512
eaecc8180cdeba5dc42a5fc22251a7610b0ae447c6079d650ddadd0c5336b4e768a38cb2bf8f31d2c65d9f697cf2c864dfbf13ff21dc14618e3d6f994021fd7c

Download Submit
C:\Windows\system\buZOFKW.exe

Filesize
355KB

MD5
59fd9364df6507577c317d05e8aff7af

SHA1
4de322e80229ae2867d19b3a6868134cd9381afa

SHA256
e09a3873a90eec96c0ffa7c37c7efc478ed0b231be386a5ff40d92ec3b42e28e

SHA512
1c4cfd711f8c035928a41985be13ef67a37a173180d2bfe2376f58b2ff497699a9aa3f9134231082f3fa0f4886598e0f388201e6acf3941341c2477e6edea645

Download Submit
C:\Windows\system\fOCHqwj.exe

Filesize
988KB

MD5
e31f874b290001ae66bb0cb0482a7202

SHA1
cc77a7b19cc14baed522e8a0d553f43c4b823d19

SHA256
333bbdde9042ac5b5f2dc8e6bcd33a28011c68f0f6cec34394a8d518e79a6d16

SHA512
07717c3f7a54f1476da92847ae345f131d229ec91229e3c03cd64a84657c40ee57b84da637d8528f539b50c345186b2ee972a28c34c3b7762f9a43afebb4fc6a

Download Submit
C:\Windows\system\mOPouBv.exe

Filesize
919KB

MD5
050bda90b40709cc189c92f1ce28a13d

SHA1
1ce802c51faa6db65fe44e8d875146c7a5e7062e

SHA256
04b89a30ee9457935aab784b68d2f0addb49d460fa21ce9b06579c179a91edfb

SHA512
cd3c3870e6c416ce7bd57f5c1562f947739273562d5650027aea0221fe17eb0a3d91dec31a8c9195e0310f6eab3ac992d424c1e7aa6a175099b27f0c16845568

Download Submit
C:\Windows\system\pUMgPmV.exe

Filesize
560KB

MD5
184fa71556f2c29d0f25f16c3f3fad59

SHA1
d267f683d891c43645bccaed3126e8e660ed397a

SHA256
dad572dbf887d1c5b6034aee87c9fb89d247e371503d2461d2b7d9ff8dcdc05c

SHA512
a998ffa781a7c4d734c6f99dd1f476bb07cdcc9e4e8617b469a8e2c21f6070d07b23139bdb076b82ba3f25d7e75ce4401222511940478384a566a154d2793d3f

Download Submit
C:\Windows\system\tFWKWei.exe

Filesize
72KB

MD5
460326869b67347da680c2fc9e9a555f

SHA1
09d81cc5712484cd5946863ab1c9eade8fac7d8e

SHA256
da90d77d8b701c697c6a781cb4e90eb3652231342ca0019a390b4171d8992e72

SHA512
f90437b5b5ccb7205bed126f3919bd57bcce85e134ee60c7e74de3627858c9af56197d377e3e24b29e73a3c8cd2550ca014b93d9f703e66700fe7266d65ee817

Download Submit
C:\Windows\system\ukQMGII.exe

Filesize
448KB

MD5
6867a721c539bc4eed4e149a207ab9ce

SHA1
8f16ba50040df79f770e40a46c9e51cf320e435f

SHA256
47b78981e5dc540d02678796ceff409213ee9c4b54e102fe961c4454bbc1343e

SHA512
774d77cfeb7f264e6fe5385d2e551cc829ba2d19b80218b9c0e2d990ec706e7dd58fc1270496a135a24cd6af0874491cfc40270c5c1947842851f6c5f3dcadd1

Download Submit
\Windows\system\AxUUKae.exe

Filesize
910KB

MD5
a901a57250281ce82b05f2e52238cdcb

SHA1
816e105ceaf008908ce8c03122b272939b134c20

SHA256
7784f399103e260b30083e10cea550522395deb2adff92a2d5e5f31cf86ca9ae

SHA512
351d8e7fb23c34703308f618bee02fbadfed335d5cd2a043e82690c91fd9965d0dd35481c9ec7c8d28f30918126a362fb4b9fd00af21e085f5d14edd9e47d933

Download Submit
\Windows\system\CUuMBIV.exe

Filesize
82KB

MD5
ffdbec285e6b1cf1d105e1e5a43c6214

SHA1
a0c962adc47cc4dcdb29326a2b382f185787ef59

SHA256
cad35c139f16520c75c46e8bfdf4c8c4bcd930581ab459b7cc03689de2e1bae1

SHA512
aa4969395a765504df1eaef49424696fb41eaa86892f48f64a4d7b8fbedab9d5fa1ed0feb3cc654edd961bda5168901fa09a6fc6d0ed075cd3fad011683d8133

Download Submit
\Windows\system\FKlBljt.exe

Filesize
374KB

MD5
0e33755cc88b643a78745c4588e3e6bd

SHA1
3f8dc8458e585a24069436db82f8555cbc5a866c

SHA256
36fc0c47857f9c8a23815519af7a7b34bb5c548782fa863efd2aa5eb6a16318c

SHA512
533d7783a65eb453e48e8864d0fb55b32e38fe3fd2f04cbbe9c6e9d6799b118faf974867cefbb4f4525e20b73cd772aece6ef120288427dc001fcecd4cef20d0

Download Submit
\Windows\system\FzmowgI.exe

Filesize
294KB

MD5
e304ef381550c7d40ead4b5d4b3b843e

SHA1
17b0d8c0319bb0876ca3f1f38ec353694099625e

SHA256
dda0b3805824319aac715c281d779937c30b294e1ab900e0230e65e163412a74

SHA512
f54303a03a3509b43fe1599d6b8508f43ee9e6278ee5ae907c1b6214c5c3b5617eaae71ad34145f4260368189afed3493835ca2b3613ab5b78157d214340dec6

Download Submit
\Windows\system\HuWdCLA.exe

Filesize
924KB

MD5
d47551b198c96629b29d5e334ed0f98b

SHA1
52481680c5ef70e7ea9e0bfcd72f3d62fb022f27

SHA256
87ecd88270f11da80a2b99bdf8fd42f6f97e5c7311e16afd7f72b4ba785fa81f

SHA512
2a0afe1977cb22c0004ae8b54dade2cffca436f8dea33d7011f72ba95b645c24794fb81378724adf18ff4f98e96399ab329fd1f75a83ecd32741f96856d06359

Download Submit
\Windows\system\KRBznqv.exe

Filesize
358KB

MD5
fed00ba10a3e124cd5c0c9d8065140ae

SHA1
99f8885f657c21b39eedddc91ecc2896fe921603

SHA256
d46dcdfa19a99b7a052ceea86336e4c20efeeff401068e8afc675c8065ac793b

SHA512
46a8209ec181ebb8e324ab75567db49d29f4d17db1dd4433be38e388d4eb6aa84d492de8961a2dce024b9391eee54bb823a58d9e41a95863f1a6c3b75fd75473

Download Submit
\Windows\system\MonlZoR.exe

Filesize
252KB

MD5
ac229ee751ce77a13f3baa581b3c8e1c

SHA1
fd9d7669d7cb92bb29276367beb483c3ae4bfec2

SHA256
febeeba0cd6d5ba1181999498a77fed6cbe40a3e5800304551895ea8c6520eae

SHA512
48371ed10e2c05f2fd458f00c50f73cf642e2161bd2b97042a970fd160e67b2e59b8bc0a75aaaee44cd9a2f0455041e6fc8053ad5a32e44891bf8572edc5809e

Download Submit
\Windows\system\VTYYLOI.exe

Filesize
103KB

MD5
725c1faf96f7871756dc6ceb33849565

SHA1
5820c3b46be5fbf05a0bc61d11b830859359a9e0

SHA256
dab82fe65fe95678a4b2f39c01e607577cdf5cf5a2dc7f72db227bcd8904cb4b

SHA512
8143a5b0b133cfb76ad952e30ad0e39b45723b3e8e4c8a3a251ee5f7f3661845b989afe6c84a8d8b5cc729ea4f79285b156cb0a0e1272e09f3565b8cb3e71bc9

Download Submit
\Windows\system\VomGERC.exe

Filesize
2.0MB

MD5
b2b904aa4c5a88870081bde3ec50f09b

SHA1
09a6809de6f553629c048decaafcb4e0e796abf3

SHA256
c4d6bccd2389437f7cbefd606b82ef6ea863c7437254e12aa9eb4d8fbefcc1ff

SHA512
1398761c44405c9dc3f25c998900c9ad815c9b1602fa271e8f7b3004bf312169d07e3fec123e1feac8115b485d185424f35fccb481ceccd17c478f88122b3fce

Download Submit
\Windows\system\XKGVgWl.exe

Filesize
777KB

MD5
89bc290423835623def810d880535139

SHA1
64f70c39350b206d7486abd473fd5a3d2032b62f

SHA256
e32c9a4187a0d91ef94369f27a9f74a2217604059c62a54f7cc7141a95ef5bad

SHA512
6c297348d3764139e60bf74df7a6f96c93cc464b799e2d2d3573c315db050ec19cd1a8405c1764582350afa425f280cfcb3572791183e23de012e6bc8d0a7ac9

Download Submit
\Windows\system\YmJIbQj.exe

Filesize
769KB

MD5
7f813dafe23b9d1f536de3cc94f4d768

SHA1
9fd10234bbbe0e09e21eceb0b4227e077aa73994

SHA256
b10971f330227f901cb0ed4e5c2e51729027359e8bcc6129dcad36d13dd9eca9

SHA512
a79b25828bfe2798afb82e0d4e187e422f951b960b53450ee19f9679e16a94c86d25d846bf7a009d99e1472122ec96c6316d83e58456638a9a9520f567a1d1a5

Download Submit
\Windows\system\ZxDmxKq.exe

Filesize
89KB

MD5
f765207ff796c36c087204a9dd2868ef

SHA1
a70a1e7eaafae385771c6c4f9bc341f6879fe9df

SHA256
c6b73cafca74d136a0ca2b202c33dc2b07f7d70e0c039c0ccec470490ea9b4a4

SHA512
4c8b3399a79f8d57382a62df49fa4cb0acff43b414c7125451aff49461309d2ecc39cb411b21abad1990c279e42242f766d8da85f14bd3932ee3c3811a9c5676

Download Submit
\Windows\system\ZxzQiEW.exe

Filesize
668KB

MD5
2cf6182b46e8ed4edb524d49f0df71a1

SHA1
69e9f4617e3c92f05c0a60063c4eb0e2b807c333

SHA256
df2383aa072e172d0ea676b5bfc917fda78b3e46294e79dabd96099938b77ffd

SHA512
6ecab2572088ede6b7a9f3e9327919dc1e5c69540263d8beea28e130cc893cc60c01e6847594895fbf32251a737e0df9befeb633ce51674c191f57bc49b43c84

Download Submit
\Windows\system\biEFOpV.exe

Filesize
569KB

MD5
7c1ff03fae7de528627cc113506c10e6

SHA1
bc825da29d5faa1709c87730b96316ae17269fb8

SHA256
6a1259c151acfa50df9dbd5117207d87942e973693d82293ec43527260a748d9

SHA512
edbd091988643f663854b396eeb3c2cff1d90477777c99adb7fb8101be74a3b6a317d08210c8f0e6be2efff971878ac2fa35502853fb7eff6d3f7c339333cff7

Download Submit
\Windows\system\buZOFKW.exe

Filesize
535KB

MD5
43bbc7c39792633ed343e6d743d0c5c9

SHA1
9febf368921fc40c15d670ece310f2a48c6f2710

SHA256
ded692eeba3fb434fdb045dd86d8c3b176e87c8da521d7dac0658bf69ab84d01

SHA512
55c67192946417865cf2d7090ff42573c3da2cbce17787d93b138b19ded191ef404c7713f2b8c1dfd2e0865ff2f54255813fed82911b71bc23854d8939835447

Download Submit
\Windows\system\fOCHqwj.exe

Filesize
140KB

MD5
9e271bd4bef7a54c319604e38d494dff

SHA1
11d403e3daaa7e3e45fee61cf2fe45ff8d416156

SHA256
618e36e4d68d7c8de322bb3d01b128ec09a48d832cf7787d302cab4946112588

SHA512
8797beecffeaf712e620206456fa89540b57f2eb8fd50c397d751aed2fa1a7241c17304c2e5b3d13bef993519421bde1a46c0e490041f3659908df2cb5c00333

Download Submit
\Windows\system\pUMgPmV.exe

Filesize
510KB

MD5
51d97a6bc093f603aa0afbcba37750a4

SHA1
7a799c5234fcf3628ba90cd586f3e1072e715621

SHA256
00a3cf3e30c16181da2671ae041368e5d11c1950c6fddf8efa0866ed11529344

SHA512
a18d066fd4d1fde5d420cbb9f11cfb62c5fbcf49ae71da46675dbfb8f9f12fc4295ff17f6aaf5f71372f3bd25458558ac60fb0c2d82dd33fb910c27886f089fd

Download Submit
\Windows\system\tFWKWei.exe

Filesize
64KB

MD5
5e383651b4ad8adf73f8cfb02c16b98e

SHA1
47176fcb459dbc31bc538c7e96995706ae8d9e83

SHA256
9f1d9169173a62be2ed3a27bfbcde292774615c8428aa1723a19185177112fca

SHA512
398155bd2bbffd32b60f6e65c6ef525aa97b0b8d8859f7acc74dd9a370ef6a5cf76452e7076a8daba6fc7c3b2d8a53434725c739d6cedc55557d8c3510485678

Download Submit
\Windows\system\ukQMGII.exe

Filesize
864KB

MD5
a6b47403a720cd203d9b0079d42da587

SHA1
0022f020c4491b4609742460ccce8e0efd7da14b

SHA256
f8d87fe41227b2d4e5b95ddfe925cec5c3d38bba2e1e2f95f30a8c265a4d6d48

SHA512
d6b6a19a8ba7830bc55dc061ea1ba4076de70f2906afdbb9fae185a1baaf1f5f9c0817e65b24f36f2c006fad6f29b7e362fec6b770673cdcebcb94dc8636bd5c

Download Submit
\Windows\system\wWZxyvc.exe

Filesize
509KB

MD5
4270739245d83d391f07da211bafde1b

SHA1
87b17c97f54fac04cf1f77d8f14f239104976341

SHA256
73e62b9228476693e589405c326d212e88320056fbc88994ea809b6c793b67de

SHA512
d07136fb64f42ccd8298872dc6bd664c9e57dff255e107e13f7845d9c504acd1b7b577be4ce73c14e515efe114aa536934549e174c0621ddde1f8ffb423b6dbe

Download Submit
memory/1144-139-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/1144-165-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/1192-112-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/1192-149-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/1192-168-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/1256-152-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/1256-142-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/1428-127-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/1428-167-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/1592-134-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/1592-169-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/1600-141-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/1904-136-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/2132-138-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2132-164-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2164-88-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/2164-161-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/2200-29-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2200-58-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2200-114-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/2200-131-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/2200-150-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2200-22-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2200-90-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/2200-15-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/2200-135-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2200-137-0x000000013F720000-0x000000013FA74000-memory.dmp

Filesize
3.3MB

Download
memory/2200-151-0x000000013F720000-0x000000013FA74000-memory.dmp

Filesize
3.3MB

Download
memory/2200-140-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2200-113-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/2200-37-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/2200-76-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2200-6-0x000000013F500000-0x000000013F854000-memory.dmp

Filesize
3.3MB

Download
memory/2200-83-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/2200-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2200-0-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2288-77-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2288-160-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2308-162-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2308-89-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2332-166-0x000000013F9B0000-0x000000013FD04000-memory.dmp

Filesize
3.3MB

Download
memory/2332-111-0x000000013F9B0000-0x000000013FD04000-memory.dmp

Filesize
3.3MB

Download
memory/2364-128-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-148-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2376-143-0x000000013F500000-0x000000013F854000-memory.dmp

Filesize
3.3MB

Download
memory/2376-9-0x000000013F500000-0x000000013F854000-memory.dmp

Filesize
3.3MB

Download
memory/2376-153-0x000000013F500000-0x000000013F854000-memory.dmp

Filesize
3.3MB

Download
memory/2436-34-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2436-156-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2460-159-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2460-49-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2460-147-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-155-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-144-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-23-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2632-154-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/2632-16-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/2672-158-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2672-43-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2672-146-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2688-157-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2688-145-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2688-36-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/3012-78-0x000000013F720000-0x000000013FA74000-memory.dmp

Filesize
3.3MB

Download
memory/3012-163-0x000000013F720000-0x000000013FA74000-memory.dmp

Filesize
3.3MB

Download