cobaltstrike | 90f687bd0dc89bc2c12725bd6798fee0ffbd57bb87620d93b2d5df0b4ec2d4c7

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

ee64a18e4cdf1da5dc37842152825058
SHA1

1e7a2fcecb76c55431c525a3707c06f5cd45b4fb
SHA256

90f687bd0dc89bc2c12725bd6798fee0ffbd57bb87620d93b2d5df0b4ec2d4c7
SHA512

1000c0f8e3fdb941adf45d6866854e699daa84cc20d3ba622fd5ef7b380664e99d35a2bfe2a9bb9e657ce11b39742c710970b30dec641be4e306e8bddf18984d
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUK:Q+856utgpPF8u/7K

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0009000000014909-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015264-9.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015364-22.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000155d4-27.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d11-44.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d24-118.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016e56-97.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d84-86.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4a-81.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4f-77.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d36-71.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d41-69.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001704f-104.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d89-94.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d55-91.dat	cobalt_reflective_dll
behavioral1/files/0x000e000000014e3d-59.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d01-42.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cf0-38.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015cb9-35.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001560a-30.dat	cobalt_reflective_dll
behavioral1/files/0x002c000000014c67-10.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x0009000000014909-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015264-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015364-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000155d4-27.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d11-44.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d24-118.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016e56-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d84-86.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4a-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4f-77.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d36-71.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d41-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001704f-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d89-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d55-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000e000000014e3d-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d01-42.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000016cf0-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015cb9-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000900000001560a-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002c000000014c67-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 50 IoCs

resource	yara_rule
behavioral1/memory/2760-0-0x000000013F410000-0x000000013F764000-memory.dmp	UPX
behavioral1/files/0x0009000000014909-3.dat	UPX
behavioral1/memory/2692-14-0x000000013F1B0000-0x000000013F504000-memory.dmp	UPX
behavioral1/files/0x0008000000015264-9.dat	UPX
behavioral1/files/0x0007000000015364-22.dat	UPX
behavioral1/files/0x00070000000155d4-27.dat	UPX
behavioral1/files/0x0006000000016d11-44.dat	UPX
behavioral1/files/0x0006000000016d24-118.dat	UPX
behavioral1/files/0x0006000000016e56-97.dat	UPX
behavioral1/files/0x0006000000016d84-86.dat	UPX
behavioral1/memory/2552-82-0x000000013F890000-0x000000013FBE4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d4a-81.dat	UPX
behavioral1/files/0x0006000000016d4f-77.dat	UPX
behavioral1/files/0x0006000000016d36-71.dat	UPX
behavioral1/files/0x0006000000016d41-69.dat	UPX
behavioral1/memory/240-117-0x000000013F570000-0x000000013F8C4000-memory.dmp	UPX
behavioral1/memory/472-115-0x000000013F6D0000-0x000000013FA24000-memory.dmp	UPX
behavioral1/memory/2416-114-0x000000013F650000-0x000000013F9A4000-memory.dmp	UPX
behavioral1/memory/2468-112-0x000000013FDF0000-0x0000000140144000-memory.dmp	UPX
behavioral1/memory/2556-109-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/memory/2804-106-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	UPX
behavioral1/files/0x000600000001704f-104.dat	UPX
behavioral1/memory/2772-103-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/memory/3060-95-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d89-94.dat	UPX
behavioral1/files/0x0006000000016d55-91.dat	UPX
behavioral1/memory/2572-68-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
behavioral1/files/0x000e000000014e3d-59.dat	UPX
behavioral1/memory/2528-53-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/files/0x0006000000016d01-42.dat	UPX
behavioral1/files/0x0007000000016cf0-38.dat	UPX
behavioral1/files/0x0009000000015cb9-35.dat	UPX
behavioral1/files/0x000900000001560a-30.dat	UPX
behavioral1/files/0x002c000000014c67-10.dat	UPX
behavioral1/memory/1384-129-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/memory/2760-134-0x000000013F410000-0x000000013F764000-memory.dmp	UPX
behavioral1/memory/2692-135-0x000000013F1B0000-0x000000013F504000-memory.dmp	UPX
behavioral1/memory/2528-137-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2692-138-0x000000013F1B0000-0x000000013F504000-memory.dmp	UPX
behavioral1/memory/2552-139-0x000000013F890000-0x000000013FBE4000-memory.dmp	UPX
behavioral1/memory/2468-146-0x000000013FDF0000-0x0000000140144000-memory.dmp	UPX
behavioral1/memory/2416-145-0x000000013F650000-0x000000013F9A4000-memory.dmp	UPX
behavioral1/memory/2804-144-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	UPX
behavioral1/memory/2556-143-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/memory/472-147-0x000000013F6D0000-0x000000013FA24000-memory.dmp	UPX
behavioral1/memory/3060-142-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	UPX
behavioral1/memory/2772-141-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/memory/2572-140-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
behavioral1/memory/240-148-0x000000013F570000-0x000000013F8C4000-memory.dmp	UPX
behavioral1/memory/1384-149-0x000000013F540000-0x000000013F894000-memory.dmp	UPX

XMRig Miner payload 55 IoCs

miner

resource	yara_rule
behavioral1/memory/2760-0-0x000000013F410000-0x000000013F764000-memory.dmp	xmrig
behavioral1/files/0x0009000000014909-3.dat	xmrig
behavioral1/memory/2692-14-0x000000013F1B0000-0x000000013F504000-memory.dmp	xmrig
behavioral1/files/0x0008000000015264-9.dat	xmrig
behavioral1/files/0x0007000000015364-22.dat	xmrig
behavioral1/files/0x00070000000155d4-27.dat	xmrig
behavioral1/files/0x0006000000016d11-44.dat	xmrig
behavioral1/files/0x0006000000016d24-118.dat	xmrig
behavioral1/files/0x0006000000016e56-97.dat	xmrig
behavioral1/files/0x0006000000016d84-86.dat	xmrig
behavioral1/memory/2552-82-0x000000013F890000-0x000000013FBE4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d4a-81.dat	xmrig
behavioral1/files/0x0006000000016d4f-77.dat	xmrig
behavioral1/files/0x0006000000016d36-71.dat	xmrig
behavioral1/files/0x0006000000016d41-69.dat	xmrig
behavioral1/memory/240-117-0x000000013F570000-0x000000013F8C4000-memory.dmp	xmrig
behavioral1/memory/472-115-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/2416-114-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/memory/2760-113-0x0000000002410000-0x0000000002764000-memory.dmp	xmrig
behavioral1/memory/2468-112-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2556-109-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/2760-108-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/2804-106-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/memory/2760-105-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/files/0x000600000001704f-104.dat	xmrig
behavioral1/memory/2772-103-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/3060-95-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d89-94.dat	xmrig
behavioral1/files/0x0006000000016d55-91.dat	xmrig
behavioral1/memory/2760-76-0x000000013F890000-0x000000013FBE4000-memory.dmp	xmrig
behavioral1/memory/2572-68-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/files/0x000e000000014e3d-59.dat	xmrig
behavioral1/memory/2528-53-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d01-42.dat	xmrig
behavioral1/files/0x0007000000016cf0-38.dat	xmrig
behavioral1/files/0x0009000000015cb9-35.dat	xmrig
behavioral1/files/0x000900000001560a-30.dat	xmrig
behavioral1/files/0x002c000000014c67-10.dat	xmrig
behavioral1/memory/2760-128-0x0000000002410000-0x0000000002764000-memory.dmp	xmrig
behavioral1/memory/1384-129-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/memory/2760-134-0x000000013F410000-0x000000013F764000-memory.dmp	xmrig
behavioral1/memory/2692-135-0x000000013F1B0000-0x000000013F504000-memory.dmp	xmrig
behavioral1/memory/2528-137-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2692-138-0x000000013F1B0000-0x000000013F504000-memory.dmp	xmrig
behavioral1/memory/2552-139-0x000000013F890000-0x000000013FBE4000-memory.dmp	xmrig
behavioral1/memory/2468-146-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2416-145-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/memory/2804-144-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/memory/2556-143-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/472-147-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/3060-142-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	xmrig
behavioral1/memory/2772-141-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/2572-140-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/memory/240-148-0x000000013F570000-0x000000013F8C4000-memory.dmp	xmrig
behavioral1/memory/1384-149-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2528	qXcNQTb.exe
2692	ZvYZZBD.exe
2572	FjlrdNV.exe
2552	REktnyr.exe
3060	eZgGsBZ.exe
2772	bEhIMNO.exe
2804	LViPWqQ.exe
2556	aCMRKIP.exe
2468	vDKGsrr.exe
2416	qeHQiQs.exe
472	DjFqQsJ.exe
240	jWTWKhm.exe
1384	eAMSxpQ.exe
2828	XdhKCbc.exe
3044	PRJrcqo.exe
1336	SfoqqIb.exe
944	jJVIIJA.exe
1716	nzODGjp.exe
860	jwmlAcN.exe
2952	qJByspa.exe
1232	MGHZdxL.exe

Loads dropped DLL 21 IoCs

pid	Process
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2760-0-0x000000013F410000-0x000000013F764000-memory.dmp	upx
behavioral1/files/0x0009000000014909-3.dat	upx
behavioral1/memory/2692-14-0x000000013F1B0000-0x000000013F504000-memory.dmp	upx
behavioral1/files/0x0008000000015264-9.dat	upx
behavioral1/files/0x0007000000015364-22.dat	upx
behavioral1/files/0x00070000000155d4-27.dat	upx
behavioral1/files/0x0006000000016d11-44.dat	upx
behavioral1/files/0x0006000000016d24-118.dat	upx
behavioral1/files/0x0006000000016e56-97.dat	upx
behavioral1/files/0x0006000000016d84-86.dat	upx
behavioral1/memory/2552-82-0x000000013F890000-0x000000013FBE4000-memory.dmp	upx
behavioral1/files/0x0006000000016d4a-81.dat	upx
behavioral1/files/0x0006000000016d4f-77.dat	upx
behavioral1/files/0x0006000000016d36-71.dat	upx
behavioral1/files/0x0006000000016d41-69.dat	upx
behavioral1/memory/240-117-0x000000013F570000-0x000000013F8C4000-memory.dmp	upx
behavioral1/memory/472-115-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/2416-114-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
behavioral1/memory/2468-112-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2556-109-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/2804-106-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	upx
behavioral1/files/0x000600000001704f-104.dat	upx
behavioral1/memory/2772-103-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/3060-95-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	upx
behavioral1/files/0x0006000000016d89-94.dat	upx
behavioral1/files/0x0006000000016d55-91.dat	upx
behavioral1/memory/2572-68-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/files/0x000e000000014e3d-59.dat	upx
behavioral1/memory/2528-53-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/files/0x0006000000016d01-42.dat	upx
behavioral1/files/0x0007000000016cf0-38.dat	upx
behavioral1/files/0x0009000000015cb9-35.dat	upx
behavioral1/files/0x000900000001560a-30.dat	upx
behavioral1/files/0x002c000000014c67-10.dat	upx
behavioral1/memory/1384-129-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/memory/2760-134-0x000000013F410000-0x000000013F764000-memory.dmp	upx
behavioral1/memory/2692-135-0x000000013F1B0000-0x000000013F504000-memory.dmp	upx
behavioral1/memory/2528-137-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2692-138-0x000000013F1B0000-0x000000013F504000-memory.dmp	upx
behavioral1/memory/2552-139-0x000000013F890000-0x000000013FBE4000-memory.dmp	upx
behavioral1/memory/2468-146-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2416-145-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
behavioral1/memory/2804-144-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	upx
behavioral1/memory/2556-143-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/472-147-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/3060-142-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	upx
behavioral1/memory/2772-141-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/2572-140-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/memory/240-148-0x000000013F570000-0x000000013F8C4000-memory.dmp	upx
behavioral1/memory/1384-149-0x000000013F540000-0x000000013F894000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\aCMRKIP.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DjFqQsJ.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jJVIIJA.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MGHZdxL.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\REktnyr.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eZgGsBZ.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LViPWqQ.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qeHQiQs.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jWTWKhm.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eAMSxpQ.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XdhKCbc.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SfoqqIb.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bEhIMNO.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nzODGjp.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qXcNQTb.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZvYZZBD.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FjlrdNV.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vDKGsrr.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jwmlAcN.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qJByspa.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PRJrcqo.exe	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2528	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	29
PID 2760 wrote to memory of 2528	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	29
PID 2760 wrote to memory of 2528	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	29
PID 2760 wrote to memory of 2692	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	30
PID 2760 wrote to memory of 2692	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	30
PID 2760 wrote to memory of 2692	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	30
PID 2760 wrote to memory of 2572	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	31
PID 2760 wrote to memory of 2572	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	31
PID 2760 wrote to memory of 2572	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	31
PID 2760 wrote to memory of 2552	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	32
PID 2760 wrote to memory of 2552	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	32
PID 2760 wrote to memory of 2552	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	32
PID 2760 wrote to memory of 3060	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	33
PID 2760 wrote to memory of 3060	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	33
PID 2760 wrote to memory of 3060	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	33
PID 2760 wrote to memory of 2772	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	34
PID 2760 wrote to memory of 2772	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	34
PID 2760 wrote to memory of 2772	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	34
PID 2760 wrote to memory of 2804	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	35
PID 2760 wrote to memory of 2804	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	35
PID 2760 wrote to memory of 2804	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	35
PID 2760 wrote to memory of 2556	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	36
PID 2760 wrote to memory of 2556	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	36
PID 2760 wrote to memory of 2556	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	36
PID 2760 wrote to memory of 2468	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	37
PID 2760 wrote to memory of 2468	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	37
PID 2760 wrote to memory of 2468	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	37
PID 2760 wrote to memory of 2416	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	38
PID 2760 wrote to memory of 2416	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	38
PID 2760 wrote to memory of 2416	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	38
PID 2760 wrote to memory of 472	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	39
PID 2760 wrote to memory of 472	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	39
PID 2760 wrote to memory of 472	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	39
PID 2760 wrote to memory of 944	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	40
PID 2760 wrote to memory of 944	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	40
PID 2760 wrote to memory of 944	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	40
PID 2760 wrote to memory of 240	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	41
PID 2760 wrote to memory of 240	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	41
PID 2760 wrote to memory of 240	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	41
PID 2760 wrote to memory of 1716	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	42
PID 2760 wrote to memory of 1716	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	42
PID 2760 wrote to memory of 1716	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	42
PID 2760 wrote to memory of 1384	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	43
PID 2760 wrote to memory of 1384	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	43
PID 2760 wrote to memory of 1384	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	43
PID 2760 wrote to memory of 860	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	44
PID 2760 wrote to memory of 860	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	44
PID 2760 wrote to memory of 860	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	44
PID 2760 wrote to memory of 2828	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	45
PID 2760 wrote to memory of 2828	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	45
PID 2760 wrote to memory of 2828	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	45
PID 2760 wrote to memory of 2952	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	46
PID 2760 wrote to memory of 2952	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	46
PID 2760 wrote to memory of 2952	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	46
PID 2760 wrote to memory of 3044	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	47
PID 2760 wrote to memory of 3044	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	47
PID 2760 wrote to memory of 3044	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	47
PID 2760 wrote to memory of 1232	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	48
PID 2760 wrote to memory of 1232	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	48
PID 2760 wrote to memory of 1232	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	48
PID 2760 wrote to memory of 1336	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	49
PID 2760 wrote to memory of 1336	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	49
PID 2760 wrote to memory of 1336	2760	2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_ee64a18e4cdf1da5dc37842152825058_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\System\qXcNQTb.exe
  C:\Windows\System\qXcNQTb.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\ZvYZZBD.exe
  C:\Windows\System\ZvYZZBD.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\FjlrdNV.exe
  C:\Windows\System\FjlrdNV.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\REktnyr.exe
  C:\Windows\System\REktnyr.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\eZgGsBZ.exe
  C:\Windows\System\eZgGsBZ.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\bEhIMNO.exe
  C:\Windows\System\bEhIMNO.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\LViPWqQ.exe
  C:\Windows\System\LViPWqQ.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\aCMRKIP.exe
  C:\Windows\System\aCMRKIP.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\vDKGsrr.exe
  C:\Windows\System\vDKGsrr.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\qeHQiQs.exe
  C:\Windows\System\qeHQiQs.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\DjFqQsJ.exe
  C:\Windows\System\DjFqQsJ.exe
  2⤵
  - Executes dropped EXE
  PID:472
- C:\Windows\System\jJVIIJA.exe
  C:\Windows\System\jJVIIJA.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System\jWTWKhm.exe
  C:\Windows\System\jWTWKhm.exe
  2⤵
  - Executes dropped EXE
  PID:240
- C:\Windows\System\nzODGjp.exe
  C:\Windows\System\nzODGjp.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\eAMSxpQ.exe
  C:\Windows\System\eAMSxpQ.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\jwmlAcN.exe
  C:\Windows\System\jwmlAcN.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\XdhKCbc.exe
  C:\Windows\System\XdhKCbc.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\qJByspa.exe
  C:\Windows\System\qJByspa.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\PRJrcqo.exe
  C:\Windows\System\PRJrcqo.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\MGHZdxL.exe
  C:\Windows\System\MGHZdxL.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System\SfoqqIb.exe
  C:\Windows\System\SfoqqIb.exe
  2⤵
  - Executes dropped EXE
  PID:1336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DjFqQsJ.exe

Filesize
5.9MB

MD5
2277da33a44647d1de8e00050a8285c2

SHA1
53e169a3a3cbc849b06e0dfb3735736c3da0e31a

SHA256
1f107c8b9b89892310fb89e5c5e3c3f873785ae49397f5e54b579ab4d8e7fba6

SHA512
7d0a41ee8fcec1f3e94f0f2b64cd63114ca75ffdcd296ca50bd634aa351e8b4bd17ac615beda101a083033635e94273e8ec494a7ecfbc25f4ff5b180584926b5

Download Submit
C:\Windows\system\FjlrdNV.exe

Filesize
5.9MB

MD5
4df2adc515f65f518651a6f715da02c4

SHA1
1634322644adc10d4770b8f9d257baa25517373e

SHA256
5cdccf8535772c9860f0fa4594d93c2afc2649c81689164b256ccd84bfcb1496

SHA512
d26ee8485de3069ed7dd6e21fdc347210d97a01312ec24360f926d2d59a574c84b917c3d75898fdedcca3ee2bcf5e0cdf8a28eeaff7d2c60aaaec97e5aeba8b4

Download Submit
C:\Windows\system\LViPWqQ.exe

Filesize
5.9MB

MD5
d15c60d04e0ae5f3d42950891a5441b2

SHA1
a47785792a6740082c5b190738f9bc0b6652471e

SHA256
7e99dbd65ebe4e28dde5b73136991e81cc4ba2f0db444e61845cb18d671c93fa

SHA512
530b22d28a88ca46d95980108f4523795f3f75bd4f291c6eea2f2baf1a49cb96b082bb6928babdce9c58a6065f46371562d61e12ff74249b1d4d7e15aef39847

Download Submit
C:\Windows\system\PRJrcqo.exe

Filesize
5.9MB

MD5
75804d6a66350081acf2cf77f566b035

SHA1
301e7a815ef4847156cd5c6d29b0d869205daf05

SHA256
2c456c0110a6df169c2ee956401e0e507b58928ce7765e54f3b30c0a0ab55741

SHA512
63ad1b1c3e3e7af5d73a14303857ba96f26317bb194f53da56f7f597542e33512a91df6c93bcb921cc9ca056650db3dadd522567c2dc4a5701ec106142a7a9c8

Download Submit
C:\Windows\system\REktnyr.exe

Filesize
5.9MB

MD5
5f947e156eb86d36a7cb3d9b39c90f0f

SHA1
78329ac26ad43295cf336c9644ce917fe559225f

SHA256
5c0d5fdfc20b155a93e337328a530228112a72fb9a3699633c511be8b5a8dd69

SHA512
ba36de6d39bca9f59e63f2c19cc7850d16d4612b3a01327e643da79cdd9ce7be9823e5e24e02cdae099a71ad60e18b075e86408ea7e21b0e32f2b3ca3abba351

Download Submit
C:\Windows\system\SfoqqIb.exe

Filesize
5.9MB

MD5
22bf39d4b060939ab69ac5f2cc5fbd06

SHA1
74e38239e36796b4729bbeb92dc4e5a28d549291

SHA256
87f63c480ba6cb2997de900b3962149dd87bccf007a621f4adad1b2c1c231a0d

SHA512
6eba788491754fc123c18b2b98c711f5d2dbee6fe6595dc75f3a10e41163701ddf4e7bb8fd2b044279b73fd6360bffbc2e7f203348798f9888979696d321feba

Download Submit
C:\Windows\system\XdhKCbc.exe

Filesize
5.9MB

MD5
b9fa5e1bf825f03e30bea495b84a41f5

SHA1
328ab0c6789657a8a3d58ebf9a3e7aa9267e4a07

SHA256
4230a1fa6ef34cc6a8a61d5871d2277c9e0fb4b628820a89e31debcb2a516cfe

SHA512
aaddacbb4e4b0f92d74468f43d0f5a0479f92ec8cd923290bc36d7559608dcfc779e7e85991453d20941f9e3edc397314e7f73a803a52c30f50ba3bb8bec71e9

Download Submit
C:\Windows\system\ZvYZZBD.exe

Filesize
5.9MB

MD5
b19ad3886281f0f7df12b3f51690a269

SHA1
d9d5205f0fefda8f3d9eddb1f6c591de9b70f5ae

SHA256
393f46e2e3f7caeb9de251c5ae28ac5de75e77fddb2b5f9740effaa1e4785110

SHA512
3f294f8b20507f1df93c201348d7d0f2fc24f235b9d1442c80a5c163b80571392be0ef5ca659e0fec0f4e5bdd6033d5ff73bc5fa765037d8f9b7ba4baeb92f06

Download Submit
C:\Windows\system\aCMRKIP.exe

Filesize
5.9MB

MD5
933756326437a612c2df571d5dfcb49a

SHA1
c9e5ae4daf6c5afe13749681748f4b0cf9239461

SHA256
9875ac70d932c545cfc60d39229084b06c0c4440c4eaf8b12941097bc66eeb9d

SHA512
779c7bbb73918aafcadc44db5a68dbed13ca611d6c678c1e1b78185ce5215c0ef8b7b6cac2c67537386abdb4a68d6e80d8ce93f34125d3b814a64e98680f94bb

Download Submit
C:\Windows\system\bEhIMNO.exe

Filesize
5.9MB

MD5
a79103c26b281202205059a926029b0a

SHA1
40b3e8fa45dfea99e5ad68ba02315a3aaa800985

SHA256
4fb14d275990cbb70797844eb4c859e9e9d3d8d05b93faca7daa8f50f498d82b

SHA512
54f342ad4bef4227f090cbb903de7bacb0b577ddaa54dd8464856bd1e09c105f14def9b58d266eb79717d8c2d6cbc7afb1967ea238edce70b2eaaaddf6abd9b0

Download Submit
C:\Windows\system\eAMSxpQ.exe

Filesize
5.9MB

MD5
09b664f11e66151305d2d06dd7b7559b

SHA1
c256cacc1f31f2a4f8348e422035f34267b91508

SHA256
5a27ff28e6bcc2c86a5fe958ad377c03e071bd8fe5e2237f30811722d7ed6cd4

SHA512
6cb520cef4d7df45834b54348008945a204055200e252816bde214e3bc3e9572adab969a571d94874492b798b3b28467aea17dbe56f9d23f4314f9e93ffc786c

Download Submit
C:\Windows\system\eZgGsBZ.exe

Filesize
5.9MB

MD5
af24438e5b007844049719207d3759d5

SHA1
3287f945ddff5847335b4e039cda83aa337416ae

SHA256
7271e87cc4765e950dc0941fef6bfb497e1fbeae0b7b99845ca7329904db0e5c

SHA512
8b33b5830ce5ebade1480726c45cd30fcc3fad5ab6532793fe0f55bc4224048f26d04c5f8c5263f7ef703c0c08e7f8c2383811b52dc8046e83a16be6ca6624a0

Download Submit
C:\Windows\system\jJVIIJA.exe

Filesize
5.9MB

MD5
c3feb26e422fdd888d264728c92b272f

SHA1
55543b99a50c0c9ca38f784751763f82cb4fb214

SHA256
e509cb3291d83c2087f6eaddd1e6598067a503a8282374dbcde1cbdaaf06fe05

SHA512
35de2f925568bb7991d9509b6c7222223ca93b682dac1966ec02cb7ff4fbe6544ffdbe64307ad2f827cc316adf2c68dfa2127fe4beebbfc8003f6fda8c284614

Download Submit
C:\Windows\system\jWTWKhm.exe

Filesize
5.9MB

MD5
94f603856b01edb776b6924dcebde98b

SHA1
ae6c7e3c54cec1f338cce1339c047f67c33fec11

SHA256
cd35d9c20b8f346b5701a4b8020f9c7de53b714411a099d4b3f66a4a9a3e5ed7

SHA512
43edf21bd20e5c441203097d7b76e1467ddb63b4f0e71bb82a8de90b226f6472b9927e0d3472acc2fdd2de7376b01e03e8cb21138200123a7f2a3c2586b73584

Download Submit
C:\Windows\system\vDKGsrr.exe

Filesize
5.9MB

MD5
c304ad832d994cbf616c1316a1ce0535

SHA1
498bbdeed51ff3e958c0ca41481a9f3c6d6f2d9c

SHA256
237d1facd04125e8df18f546c17dfa135e48b5800967106a5b6fdb30cb8da4a9

SHA512
72da1a4050aeae1c59c71082357837d72a68b71241b108aa346b65d6c861b588afbbb90621cdd7b0f61462d18b79897fe433122493e716489123486c225f7736

Download Submit
\Windows\system\MGHZdxL.exe

Filesize
5.9MB

MD5
2b82f61f76d9fa0f41abd829958f5ea6

SHA1
63f6425de476afbe2d70ab564dd438b0d6715c53

SHA256
11b48b6e24c33eaaf7311fa075e0d79f3ac8d1fbab0bb47e18ded6220b96988f

SHA512
3eae5daa20424a812b97c3a62dac93abd1f1d21bf54f806e2f2dd5d76ca81bbd8a4f05b77a55da942187b13ffa644dbb3e0d97d0ae702a43c6e5f30713e13320

Download Submit
\Windows\system\jwmlAcN.exe

Filesize
5.9MB

MD5
2d8cd09af2fd99163a9160c2d48fcd7d

SHA1
0b802a48943295427cf669245c5867bfbae274ec

SHA256
f2e0f5da8026eda9e96cd834eefe9edae4537eb632e8eda296b50802716f5a9e

SHA512
0a998a98e0c1576d6b741ec1ab55be862fc731ef35513eac37fe0fe83c71f9f32d4f90922998a8dc9148d433721f4e15322596185cbcf35675e2b4ca70d342d2

Download Submit
\Windows\system\nzODGjp.exe

Filesize
5.9MB

MD5
97979a44a63587ce37a64cb248201958

SHA1
e6a3da7a5112d607016deabdcf38382c2acc9350

SHA256
b279ad061272d521fe591c2acc2502db900fd4c5e667c796862562a640d260a4

SHA512
adb5564a5f3aa1cff2350d43c4d29604f2061e31679c5f4a4ffdcdbfdeeb7e699e57b7ffc9b120501a64340d6e14bfb5edb5c8ff61343b2c90e9b1ad14d1ca0e

Download Submit
\Windows\system\qJByspa.exe

Filesize
5.9MB

MD5
11643f3645c5ee3a363174185cd41fb7

SHA1
aa7fea40f13d108f61458b59bca445e3979c1d57

SHA256
22f4c29808403b015e3b94bb5fe1e685c1a3b0cb8ae380fcc4ff8335e248afa1

SHA512
434ed12988abfb4bf0b95ce65d5653c1e032c57b3a2a765bf24dcf7bd86ae9ca1ae66f607a2b32fcfb362a9fa7e335b0189fe817fa3f49e5332698b93a980b66

Download Submit
\Windows\system\qXcNQTb.exe

Filesize
5.9MB

MD5
8a79e1c0a376a851d1c45142dab5c307

SHA1
6e942283948ea37adeebcb8bf9d313f2c1f6b37b

SHA256
3bc1240962ac6bd877ad111487601669682bb6ea59590bc81f7838372d6d7ba7

SHA512
614cfcb1750a50602c29d364ee6ad37c4455bce2aeb4cb16b1a67971b33c30f6a64f0d1caaa7e24521a2e306c44a475d8282b48b8e2c3ef49d3f93023156027c

Download Submit
\Windows\system\qeHQiQs.exe

Filesize
5.9MB

MD5
8aae9a44c78127cc7d894d93858b46cc

SHA1
194f2773013b32396bca90ef364afb067fde2120

SHA256
72dd2b99ef82c8889c1bb3a1e4c7a2cd040a4367827dced4c32049a4330ccc3f

SHA512
c4797abc35ffad32a52ae05bdb513bcfbea46b0b8b54600c0df30b364043076f447cde5ee396885749e63fd08f66dc32c80d687795aa7a1c17f10d20a4b29edf

Download Submit
memory/240-117-0x000000013F570000-0x000000013F8C4000-memory.dmp

Filesize
3.3MB

Download
memory/240-148-0x000000013F570000-0x000000013F8C4000-memory.dmp

Filesize
3.3MB

Download
memory/472-147-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/472-115-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/1384-149-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/1384-129-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2416-145-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2416-114-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2468-112-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2468-146-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2528-137-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2528-53-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2552-139-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download
memory/2552-82-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-143-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2556-109-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2572-68-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2572-140-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2692-135-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/2692-138-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/2692-14-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/2760-12-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2760-76-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download
memory/2760-128-0x0000000002410000-0x0000000002764000-memory.dmp

Filesize
3.3MB

Download
memory/2760-116-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2760-131-0x0000000002410000-0x0000000002764000-memory.dmp

Filesize
3.3MB

Download
memory/2760-130-0x0000000002410000-0x0000000002764000-memory.dmp

Filesize
3.3MB

Download
memory/2760-133-0x0000000002410000-0x0000000002764000-memory.dmp

Filesize
3.3MB

Download
memory/2760-132-0x0000000002410000-0x0000000002764000-memory.dmp

Filesize
3.3MB

Download
memory/2760-134-0x000000013F410000-0x000000013F764000-memory.dmp

Filesize
3.3MB

Download
memory/2760-65-0x0000000002410000-0x0000000002764000-memory.dmp

Filesize
3.3MB

Download
memory/2760-136-0x0000000002410000-0x0000000002764000-memory.dmp

Filesize
3.3MB

Download
memory/2760-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2760-0-0x000000013F410000-0x000000013F764000-memory.dmp

Filesize
3.3MB

Download
memory/2760-113-0x0000000002410000-0x0000000002764000-memory.dmp

Filesize
3.3MB

Download
memory/2760-96-0x0000000002410000-0x0000000002764000-memory.dmp

Filesize
3.3MB

Download
memory/2760-111-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2760-108-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2760-105-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-141-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-103-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-106-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-144-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/3060-142-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/3060-95-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download