cobaltstrike | e785acd308800530284caacacca75756ad61a4c1efa5b21c431df3aac799ec66

Analysis

max time kernel
141s
max time network
151s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

b63fb80e0cd7b724a60bde244d844588
SHA1

9f2634fc662524b0949bc9e5af7b48683d825966
SHA256

e785acd308800530284caacacca75756ad61a4c1efa5b21c431df3aac799ec66
SHA512

60f80a743a2777f4bc190caada100d9aeffee45c5c4dbb358b8b27b0576ea73a62fb07b3670c49910909da1fadcd3282dcd27ed4d0d99f579731fee1f344d3a7
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lx:RWWBibf56utgpPFotBER/mQ32lUF

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b00000001226d-3.dat	cobalt_reflective_dll
behavioral1/files/0x00350000000149d0-11.dat	cobalt_reflective_dll
behavioral1/files/0x000d000000014b70-10.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015038-27.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000153fd-39.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015b63-52.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001542b-47.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001538e-32.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d72-57.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015de5-74.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015fd4-90.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000165d4-113.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016448-105.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016133-97.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016824-119.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016572-112.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000162cc-104.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000160f3-95.dat	cobalt_reflective_dll
behavioral1/files/0x0035000000014b18-84.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001562c-66.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d97-64.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001226d-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00350000000149d0-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000d000000014b70-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015038-27.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000153fd-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015b63-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001542b-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001538e-32.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015d72-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015de5-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015fd4-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000165d4-113.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016448-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016133-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016824-119.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016572-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000162cc-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000160f3-95.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0035000000014b18-84.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001562c-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d97-64.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 63 IoCs

resource	yara_rule
behavioral1/memory/2184-0-0x000000013FAD0000-0x000000013FE21000-memory.dmp	UPX
behavioral1/files/0x000b00000001226d-3.dat	UPX
behavioral1/files/0x00350000000149d0-11.dat	UPX
behavioral1/files/0x000d000000014b70-10.dat	UPX
behavioral1/memory/1276-15-0x000000013F620000-0x000000013F971000-memory.dmp	UPX
behavioral1/memory/1712-12-0x000000013F070000-0x000000013F3C1000-memory.dmp	UPX
behavioral1/memory/1692-25-0x000000013FE90000-0x00000001401E1000-memory.dmp	UPX
behavioral1/files/0x0008000000015038-27.dat	UPX
behavioral1/memory/2796-36-0x000000013F540000-0x000000013F891000-memory.dmp	UPX
behavioral1/files/0x00070000000153fd-39.dat	UPX
behavioral1/files/0x0008000000015b63-52.dat	UPX
behavioral1/memory/2664-42-0x000000013F5E0000-0x000000013F931000-memory.dmp	UPX
behavioral1/files/0x000700000001542b-47.dat	UPX
behavioral1/files/0x000700000001538e-32.dat	UPX
behavioral1/memory/2684-28-0x000000013F5D0000-0x000000013F921000-memory.dmp	UPX
behavioral1/memory/2536-71-0x000000013FAF0000-0x000000013FE41000-memory.dmp	UPX
behavioral1/files/0x0008000000015d72-57.dat	UPX
behavioral1/memory/2580-77-0x000000013FD10000-0x0000000140061000-memory.dmp	UPX
behavioral1/memory/2184-76-0x000000013FAD0000-0x000000013FE21000-memory.dmp	UPX
behavioral1/files/0x0006000000015de5-74.dat	UPX
behavioral1/files/0x0006000000015fd4-90.dat	UPX
behavioral1/files/0x00060000000165d4-113.dat	UPX
behavioral1/files/0x0006000000016448-105.dat	UPX
behavioral1/files/0x0006000000016133-97.dat	UPX
behavioral1/memory/1984-125-0x000000013FCF0000-0x0000000140041000-memory.dmp	UPX
behavioral1/files/0x0006000000016824-119.dat	UPX
behavioral1/files/0x0006000000016572-112.dat	UPX
behavioral1/files/0x00060000000162cc-104.dat	UPX
behavioral1/files/0x00060000000160f3-95.dat	UPX
behavioral1/memory/2876-89-0x000000013FFF0000-0x0000000140341000-memory.dmp	UPX
behavioral1/memory/3008-81-0x000000013FB70000-0x000000013FEC1000-memory.dmp	UPX
behavioral1/files/0x0035000000014b18-84.dat	UPX
behavioral1/memory/2772-72-0x000000013FCF0000-0x0000000140041000-memory.dmp	UPX
behavioral1/memory/2204-70-0x000000013F470000-0x000000013F7C1000-memory.dmp	UPX
behavioral1/files/0x000700000001562c-66.dat	UPX
behavioral1/files/0x0006000000015d97-64.dat	UPX
behavioral1/memory/2788-56-0x000000013FB40000-0x000000013FE91000-memory.dmp	UPX
behavioral1/memory/2684-132-0x000000013F5D0000-0x000000013F921000-memory.dmp	UPX
behavioral1/memory/2184-133-0x000000013FAD0000-0x000000013FE21000-memory.dmp	UPX
behavioral1/memory/2020-152-0x000000013F6C0000-0x000000013FA11000-memory.dmp	UPX
behavioral1/memory/1188-151-0x000000013F960000-0x000000013FCB1000-memory.dmp	UPX
behavioral1/memory/1980-149-0x000000013F5D0000-0x000000013F921000-memory.dmp	UPX
behavioral1/memory/2964-147-0x000000013FE40000-0x0000000140191000-memory.dmp	UPX
behavioral1/memory/3008-145-0x000000013FB70000-0x000000013FEC1000-memory.dmp	UPX
behavioral1/memory/2664-139-0x000000013F5E0000-0x000000013F931000-memory.dmp	UPX
behavioral1/memory/2496-154-0x000000013F2C0000-0x000000013F611000-memory.dmp	UPX
behavioral1/memory/2424-153-0x000000013FE90000-0x00000001401E1000-memory.dmp	UPX
behavioral1/memory/1304-155-0x000000013FDA0000-0x00000001400F1000-memory.dmp	UPX
behavioral1/memory/2184-156-0x000000013FAD0000-0x000000013FE21000-memory.dmp	UPX
behavioral1/memory/1712-211-0x000000013F070000-0x000000013F3C1000-memory.dmp	UPX
behavioral1/memory/1276-213-0x000000013F620000-0x000000013F971000-memory.dmp	UPX
behavioral1/memory/1692-215-0x000000013FE90000-0x00000001401E1000-memory.dmp	UPX
behavioral1/memory/2684-217-0x000000013F5D0000-0x000000013F921000-memory.dmp	UPX
behavioral1/memory/2796-219-0x000000013F540000-0x000000013F891000-memory.dmp	UPX
behavioral1/memory/2664-221-0x000000013F5E0000-0x000000013F931000-memory.dmp	UPX
behavioral1/memory/2788-223-0x000000013FB40000-0x000000013FE91000-memory.dmp	UPX
behavioral1/memory/2204-225-0x000000013F470000-0x000000013F7C1000-memory.dmp	UPX
behavioral1/memory/2536-227-0x000000013FAF0000-0x000000013FE41000-memory.dmp	UPX
behavioral1/memory/2772-229-0x000000013FCF0000-0x0000000140041000-memory.dmp	UPX
behavioral1/memory/2580-231-0x000000013FD10000-0x0000000140061000-memory.dmp	UPX
behavioral1/memory/2876-234-0x000000013FFF0000-0x0000000140341000-memory.dmp	UPX
behavioral1/memory/3008-235-0x000000013FB70000-0x000000013FEC1000-memory.dmp	UPX
behavioral1/memory/1984-237-0x000000013FCF0000-0x0000000140041000-memory.dmp	UPX

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral1/memory/1276-15-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/1712-12-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/1692-25-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/2796-36-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2536-71-0x000000013FAF0000-0x000000013FE41000-memory.dmp	xmrig
behavioral1/memory/2580-77-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/2184-76-0x000000013FAD0000-0x000000013FE21000-memory.dmp	xmrig
behavioral1/memory/2184-123-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/1984-125-0x000000013FCF0000-0x0000000140041000-memory.dmp	xmrig
behavioral1/memory/2876-89-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/2772-72-0x000000013FCF0000-0x0000000140041000-memory.dmp	xmrig
behavioral1/memory/2204-70-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/2184-65-0x0000000002270000-0x00000000025C1000-memory.dmp	xmrig
behavioral1/memory/2788-56-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/2684-132-0x000000013F5D0000-0x000000013F921000-memory.dmp	xmrig
behavioral1/memory/2184-133-0x000000013FAD0000-0x000000013FE21000-memory.dmp	xmrig
behavioral1/memory/2020-152-0x000000013F6C0000-0x000000013FA11000-memory.dmp	xmrig
behavioral1/memory/1188-151-0x000000013F960000-0x000000013FCB1000-memory.dmp	xmrig
behavioral1/memory/1980-149-0x000000013F5D0000-0x000000013F921000-memory.dmp	xmrig
behavioral1/memory/2964-147-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/3008-145-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/2664-139-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2496-154-0x000000013F2C0000-0x000000013F611000-memory.dmp	xmrig
behavioral1/memory/2424-153-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/1304-155-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2184-156-0x000000013FAD0000-0x000000013FE21000-memory.dmp	xmrig
behavioral1/memory/2184-179-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/1712-211-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/1276-213-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/1692-215-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/2684-217-0x000000013F5D0000-0x000000013F921000-memory.dmp	xmrig
behavioral1/memory/2796-219-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2664-221-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2788-223-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/2204-225-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/2536-227-0x000000013FAF0000-0x000000013FE41000-memory.dmp	xmrig
behavioral1/memory/2772-229-0x000000013FCF0000-0x0000000140041000-memory.dmp	xmrig
behavioral1/memory/2580-231-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/2876-234-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/3008-235-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/1984-237-0x000000013FCF0000-0x0000000140041000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1712	uJQFskA.exe
1276	KEesSub.exe
1692	kGlLpHH.exe
2684	CkibRRC.exe
2796	dYBkGMb.exe
2664	LOuSzkC.exe
2788	YgNzuOV.exe
2204	nVBuPrR.exe
2536	YXaTuUv.exe
2772	zdZnuUg.exe
2580	FjDfQLW.exe
3008	DJvXNWp.exe
2876	KngwqMG.exe
1984	jeVbfkv.exe
1188	dsGsWeR.exe
2424	zWuePXp.exe
1304	OEEwLlq.exe
2964	gfKJVfh.exe
1980	ZlQADIx.exe
2020	VKttcIc.exe
2496	mKLXUlZ.exe

Loads dropped DLL 21 IoCs

pid	Process
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2184-0-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
behavioral1/files/0x000b00000001226d-3.dat	upx
behavioral1/files/0x00350000000149d0-11.dat	upx
behavioral1/files/0x000d000000014b70-10.dat	upx
behavioral1/memory/1276-15-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/1712-12-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/1692-25-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/files/0x0008000000015038-27.dat	upx
behavioral1/memory/2796-36-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/files/0x00070000000153fd-39.dat	upx
behavioral1/files/0x0008000000015b63-52.dat	upx
behavioral1/memory/2664-42-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/files/0x000700000001542b-47.dat	upx
behavioral1/files/0x000700000001538e-32.dat	upx
behavioral1/memory/2684-28-0x000000013F5D0000-0x000000013F921000-memory.dmp	upx
behavioral1/memory/2536-71-0x000000013FAF0000-0x000000013FE41000-memory.dmp	upx
behavioral1/files/0x0008000000015d72-57.dat	upx
behavioral1/memory/2580-77-0x000000013FD10000-0x0000000140061000-memory.dmp	upx
behavioral1/memory/2184-76-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
behavioral1/files/0x0006000000015de5-74.dat	upx
behavioral1/files/0x0006000000015fd4-90.dat	upx
behavioral1/files/0x00060000000165d4-113.dat	upx
behavioral1/files/0x0006000000016448-105.dat	upx
behavioral1/files/0x0006000000016133-97.dat	upx
behavioral1/memory/1984-125-0x000000013FCF0000-0x0000000140041000-memory.dmp	upx
behavioral1/files/0x0006000000016824-119.dat	upx
behavioral1/files/0x0006000000016572-112.dat	upx
behavioral1/files/0x00060000000162cc-104.dat	upx
behavioral1/files/0x00060000000160f3-95.dat	upx
behavioral1/memory/2876-89-0x000000013FFF0000-0x0000000140341000-memory.dmp	upx
behavioral1/memory/3008-81-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/files/0x0035000000014b18-84.dat	upx
behavioral1/memory/2772-72-0x000000013FCF0000-0x0000000140041000-memory.dmp	upx
behavioral1/memory/2204-70-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
behavioral1/files/0x000700000001562c-66.dat	upx
behavioral1/files/0x0006000000015d97-64.dat	upx
behavioral1/memory/2788-56-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/memory/2684-132-0x000000013F5D0000-0x000000013F921000-memory.dmp	upx
behavioral1/memory/2184-133-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
behavioral1/memory/2020-152-0x000000013F6C0000-0x000000013FA11000-memory.dmp	upx
behavioral1/memory/1188-151-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
behavioral1/memory/1980-149-0x000000013F5D0000-0x000000013F921000-memory.dmp	upx
behavioral1/memory/2964-147-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/memory/3008-145-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/memory/2664-139-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/2496-154-0x000000013F2C0000-0x000000013F611000-memory.dmp	upx
behavioral1/memory/2424-153-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/memory/1304-155-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/2184-156-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
behavioral1/memory/1712-211-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/1276-213-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/1692-215-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/memory/2684-217-0x000000013F5D0000-0x000000013F921000-memory.dmp	upx
behavioral1/memory/2796-219-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/2664-221-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/2788-223-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/memory/2204-225-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
behavioral1/memory/2536-227-0x000000013FAF0000-0x000000013FE41000-memory.dmp	upx
behavioral1/memory/2772-229-0x000000013FCF0000-0x0000000140041000-memory.dmp	upx
behavioral1/memory/2580-231-0x000000013FD10000-0x0000000140061000-memory.dmp	upx
behavioral1/memory/2876-234-0x000000013FFF0000-0x0000000140341000-memory.dmp	upx
behavioral1/memory/3008-235-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/memory/1984-237-0x000000013FCF0000-0x0000000140041000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\nVBuPrR.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KngwqMG.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VKttcIc.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OEEwLlq.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LOuSzkC.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KEesSub.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kGlLpHH.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dYBkGMb.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YgNzuOV.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FjDfQLW.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YXaTuUv.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zWuePXp.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uJQFskA.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jeVbfkv.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DJvXNWp.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zdZnuUg.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gfKJVfh.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZlQADIx.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dsGsWeR.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mKLXUlZ.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CkibRRC.exe	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1712	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	29
PID 2184 wrote to memory of 1712	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	29
PID 2184 wrote to memory of 1712	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	29
PID 2184 wrote to memory of 1276	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	30
PID 2184 wrote to memory of 1276	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	30
PID 2184 wrote to memory of 1276	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	30
PID 2184 wrote to memory of 1692	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	31
PID 2184 wrote to memory of 1692	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	31
PID 2184 wrote to memory of 1692	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	31
PID 2184 wrote to memory of 2684	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	32
PID 2184 wrote to memory of 2684	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	32
PID 2184 wrote to memory of 2684	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	32
PID 2184 wrote to memory of 2796	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	33
PID 2184 wrote to memory of 2796	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	33
PID 2184 wrote to memory of 2796	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	33
PID 2184 wrote to memory of 2664	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	34
PID 2184 wrote to memory of 2664	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	34
PID 2184 wrote to memory of 2664	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	34
PID 2184 wrote to memory of 2788	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	35
PID 2184 wrote to memory of 2788	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	35
PID 2184 wrote to memory of 2788	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	35
PID 2184 wrote to memory of 2772	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	36
PID 2184 wrote to memory of 2772	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	36
PID 2184 wrote to memory of 2772	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	36
PID 2184 wrote to memory of 2204	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	37
PID 2184 wrote to memory of 2204	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	37
PID 2184 wrote to memory of 2204	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	37
PID 2184 wrote to memory of 2580	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	38
PID 2184 wrote to memory of 2580	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	38
PID 2184 wrote to memory of 2580	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	38
PID 2184 wrote to memory of 2536	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	39
PID 2184 wrote to memory of 2536	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	39
PID 2184 wrote to memory of 2536	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	39
PID 2184 wrote to memory of 3008	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	40
PID 2184 wrote to memory of 3008	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	40
PID 2184 wrote to memory of 3008	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	40
PID 2184 wrote to memory of 2876	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	41
PID 2184 wrote to memory of 2876	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	41
PID 2184 wrote to memory of 2876	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	41
PID 2184 wrote to memory of 2964	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	42
PID 2184 wrote to memory of 2964	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	42
PID 2184 wrote to memory of 2964	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	42
PID 2184 wrote to memory of 1984	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	43
PID 2184 wrote to memory of 1984	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	43
PID 2184 wrote to memory of 1984	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	43
PID 2184 wrote to memory of 1980	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	44
PID 2184 wrote to memory of 1980	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	44
PID 2184 wrote to memory of 1980	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	44
PID 2184 wrote to memory of 1188	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	45
PID 2184 wrote to memory of 1188	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	45
PID 2184 wrote to memory of 1188	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	45
PID 2184 wrote to memory of 2020	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	46
PID 2184 wrote to memory of 2020	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	46
PID 2184 wrote to memory of 2020	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	46
PID 2184 wrote to memory of 2424	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	47
PID 2184 wrote to memory of 2424	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	47
PID 2184 wrote to memory of 2424	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	47
PID 2184 wrote to memory of 2496	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	48
PID 2184 wrote to memory of 2496	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	48
PID 2184 wrote to memory of 2496	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	48
PID 2184 wrote to memory of 1304	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	49
PID 2184 wrote to memory of 1304	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	49
PID 2184 wrote to memory of 1304	2184	2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_b63fb80e0cd7b724a60bde244d844588_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\System\uJQFskA.exe
  C:\Windows\System\uJQFskA.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\KEesSub.exe
  C:\Windows\System\KEesSub.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System\kGlLpHH.exe
  C:\Windows\System\kGlLpHH.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System\CkibRRC.exe
  C:\Windows\System\CkibRRC.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\dYBkGMb.exe
  C:\Windows\System\dYBkGMb.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\LOuSzkC.exe
  C:\Windows\System\LOuSzkC.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\YgNzuOV.exe
  C:\Windows\System\YgNzuOV.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\zdZnuUg.exe
  C:\Windows\System\zdZnuUg.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\nVBuPrR.exe
  C:\Windows\System\nVBuPrR.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\FjDfQLW.exe
  C:\Windows\System\FjDfQLW.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\YXaTuUv.exe
  C:\Windows\System\YXaTuUv.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\DJvXNWp.exe
  C:\Windows\System\DJvXNWp.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\KngwqMG.exe
  C:\Windows\System\KngwqMG.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\gfKJVfh.exe
  C:\Windows\System\gfKJVfh.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\jeVbfkv.exe
  C:\Windows\System\jeVbfkv.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\ZlQADIx.exe
  C:\Windows\System\ZlQADIx.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\dsGsWeR.exe
  C:\Windows\System\dsGsWeR.exe
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\System\VKttcIc.exe
  C:\Windows\System\VKttcIc.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\zWuePXp.exe
  C:\Windows\System\zWuePXp.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\mKLXUlZ.exe
  C:\Windows\System\mKLXUlZ.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\OEEwLlq.exe
  C:\Windows\System\OEEwLlq.exe
  2⤵
  - Executes dropped EXE
  PID:1304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CkibRRC.exe

Filesize
5.2MB

MD5
dae6b1d8a424790eb457f5cd39d6383e

SHA1
bdfb6f442e6cfff359c227169b0b50f8dc15df3d

SHA256
05d256f90bb6820d7f0e3cd7fc0374421ee5d7e91d2a4b3c021130370ed7afb5

SHA512
e4ce60c7b245b28c431d78cc5b09eb824e4e495393ba296fcf89a8f70bed65a7c8c0758f3d431d597a7c2875214f94f0d473e02af522cb20b396876a4aa847c1

Download Submit
C:\Windows\system\KEesSub.exe

Filesize
5.2MB

MD5
afc4cdc357e9852fd471620c2863b0b6

SHA1
aa804fd9f4b2861c20456055606edcd75456f305

SHA256
84485f0267bba1286de54a384cd55a4b6d1057146f8e1bd6db85aa7d9df2a3c7

SHA512
2726f9ed4f522b74adeebfa0e301a88ec29b6b7b7e9757b79e559fe3c6e9ee3404c6443ca33ca2312becaf1687451b643f36e8fcca837d6a6f2f45cc5b6806e2

Download Submit
C:\Windows\system\KngwqMG.exe

Filesize
5.2MB

MD5
3ad52721c25d08b2d626f24fc50a919a

SHA1
60fb2d5179456408a9b84c67202a0acf6d68029e

SHA256
e27ec8f4718e98946780a54041006b64f617eb92086b8326da009d8ea09dc213

SHA512
3a0fd8d01b1f6f4fabb3e7416d92b00a0bc4fec358ca487984227f829535b84effbd04c07426784f1d0f6b2f28197e4bafeafb9d4c6f0fd647c1d1026359e47c

Download Submit
C:\Windows\system\LOuSzkC.exe

Filesize
5.2MB

MD5
9cd149883835177f15892bc2a4a44d44

SHA1
d02aea3835e1bc7f877098354dc0021b9dc09ede

SHA256
43f3d5b75bcf89cf3e0f6c40b48a62924e9df1ddcf0333e893e24ec35acf9539

SHA512
089840dd27595d437d6da33b2eae4fd9f8e5b45b683748d2515b8cbdb48aedc435d65fc63079287d48fae42457fe45a68d4889d9e041c40b6ad04371280919c6

Download Submit
C:\Windows\system\OEEwLlq.exe

Filesize
5.2MB

MD5
f1e7f1a410f171385ac4023394917a59

SHA1
81ff1a6b000681be81f132e5e067d38f6dfb8630

SHA256
ed87038950e243b4491ca85860c34764c73f7efd54468cadd6c69a243ef30a91

SHA512
cdf83a56270f35178d946c4defd2b3f48b9994f8157f33496070863ac39519e462a83127d6ec3a6b09fd342b56d1178469a32a0f91bddcc20979e9c1dec026fc

Download Submit
C:\Windows\system\YXaTuUv.exe

Filesize
5.2MB

MD5
95e5be018a604e2f4499291d6c59427f

SHA1
16c4c1ecf8396a410bdb9aeb37d4287a07f60350

SHA256
593e95563764ac269270a4b10f2d34cea749d1152f271b78d7dd8b2bbc9da67f

SHA512
53b4773cc8df08cc6755f866deb4ae4214c7f80d2c5a31ff14a2f216e8fd306729130633716b001eafcfb0a4946d92e472f74508a4ada3e0a38d066102b5400d

Download Submit
C:\Windows\system\YgNzuOV.exe

Filesize
5.2MB

MD5
668a38b1615c91c034a7ef58b648e2f1

SHA1
9c93fad3b87b8c4815eb379fbb6e937ae272b4ef

SHA256
943fc84c3432349f95638c6d9c282d971f17b12a1f370926f116942e363d7d1e

SHA512
aece82965878a0162792f9bbd01b3ba433b9ed4d90aef619d5b65ecd7d43784dc508258b110fca7216a761647ac80b8fac81e0c6df2ce5208029de665f6b9319

Download Submit
C:\Windows\system\dYBkGMb.exe

Filesize
5.2MB

MD5
e8df3388c5c161c2f88da8df9bb5e4f8

SHA1
a85064e39d6f194b9754e52b999db08778a80758

SHA256
8027c9f2349fb94a152fd1ae9c42e5525db621f7eb6fa8924c4a60c78291c2d5

SHA512
683723c3f6d7c1d1a8630170e52a18176c51523cfbed9f20ffa4851bfb2835782cfab2ef2487c5b1ccfe622aec5bf8a2c0533e2bb62d0aec47b97194c96aefdb

Download Submit
C:\Windows\system\dsGsWeR.exe

Filesize
5.2MB

MD5
2a07d368405121b557bcc59e836ec67f

SHA1
4b4e9751752e054df7efc6a38982eef07a734c43

SHA256
66254297234ecd9e7943fe833b22b3608a5d8b3105a6386f42ea8aa684205438

SHA512
1dc680816a8e2fb860f9afcd26c04e825e93848d7becea6c0d483640a75bb7b10f0fbf70a86dca2866a8b70d7fb7c3b5f09eb58501fbfd92a54d6eb26077c63a

Download Submit
C:\Windows\system\jeVbfkv.exe

Filesize
5.2MB

MD5
bee64b8a1f54cfd757cb6e4c3be14b87

SHA1
9e0e5ef7caaff5b2920935dfd37638c4ba4f8002

SHA256
e4b02449795a3cb54ed4c49015c114a6d79579d26972ee921e454bc5deea1374

SHA512
accb318e580a425b2ffdf9c94832b9c2a1ac1c0da749a45cda73823cbed7cb5d4ce07e492289bddd6c91add07e8db37d38f2892f6cf890b96ab5e9a2cecadbbe

Download Submit
C:\Windows\system\kGlLpHH.exe

Filesize
5.2MB

MD5
c437c4872bc470407b87e6acdc542d73

SHA1
580433526a13ffe28fab18a983c79a440b668359

SHA256
81479f330e3dc0fa70cbbcee08c9e336cec96c66ed20f790f957bcc9635d1080

SHA512
c1250f8073b513b40b7cc1b6345dca889d92673d0786696af494f233f116fda0135b6e97b8520a210f7f865b07826418787e7e647ac9ea7e907f73f9eb2c95b4

Download Submit
C:\Windows\system\zWuePXp.exe

Filesize
5.2MB

MD5
a52d92b5faddd90b7f5ba25fc9016347

SHA1
2b21a236fd3c306239d1cc1faf0231ca20bda33c

SHA256
5031a3d13d8c19f037996c633a2d3cf3ec2d5beecb6aadaa72880781c0a2c392

SHA512
8af51f8fb3dd1d4afc771b5d971099fc00983e06b52955ffe3059fce7de7a549cdc9c28b15ce17d16f41c3abd90a7f8604f835f99d4765462b91526802c6d950

Download Submit
C:\Windows\system\zdZnuUg.exe

Filesize
5.2MB

MD5
28b31303a517549edcdd2143e4ae1428

SHA1
cb5bc796e7338c69e5ccb1b72b9bd1d352662ae0

SHA256
cfcdf45fdc8a09dbabb893656e304ec23abe70b179fd128b45878512ad537582

SHA512
51ad82c439f7bd04a6b7efccd0dfcc267562061b25938a00dbcefff40475cfa49852bede2b5591aaaa5072206267f3e6fccf9304fd6fd3991d18342137666666

Download Submit
\Windows\system\DJvXNWp.exe

Filesize
5.2MB

MD5
83a879170810426f878ef81946610319

SHA1
ab194b55f4bcfddd48159e8c94d1461b17d30ec0

SHA256
5a1e18cce2efe937b1dbebbecfff4a25c9279fdd585eec10777ac4f75018870f

SHA512
8c121de93738ef0518ba435e39a1bfb2269dcee1a6e848d03cbe2d74ec41f65704ac4ff188e10adbcd1061ac457d10860e18120993f9183c098d92c4f300ac23

Download Submit
\Windows\system\FjDfQLW.exe

Filesize
5.2MB

MD5
983edb9b0925128b96d936a0585f8fed

SHA1
2bb8185d4929648f61a16e90fc1fd7677d6ca624

SHA256
0e184fa8ceefc218810c9f5b16877f6266a6781f766f3284afdcec3c55c84746

SHA512
f9e8841b5e82092b15a0290942e00d386f5fe3788d5f4fbc03ed8b5a86ed940440bcc9f85fa1f2c0a88c918333ca02806975c0ba3fd27a2955ddeb39229dfd84

Download Submit
\Windows\system\VKttcIc.exe

Filesize
5.2MB

MD5
9b55fc277558baa56b0f0bd707769e5f

SHA1
055d94b975955ba31ce07c27a6c41e890263664d

SHA256
cbfab5b67ff28b090a55377b00392c2eb2a00282d7f00751bbf0e963617070bb

SHA512
15bf47bdce22b97963801ffd6f3a5d0e5a82338ba1a527783ff783fe132e1b814fca6c2a2de6705a3f6403de06473fe4fb83b608b87cd37bd635c7e0b5e71c05

Download Submit
\Windows\system\ZlQADIx.exe

Filesize
5.2MB

MD5
05f2756b6c490f8286a1e4713d607c5c

SHA1
7c2d5ec55fa406992b6f5567eed523af315db9b7

SHA256
8c4f1581f48dd8b77a9de216478d09079f45b30a043097e46a4f34ec85f24255

SHA512
4c6caa0ab3007328d06a305860bdac8dfe849317facb5eecb8992ddeecec4f6ebd1d0a0a9ce3d5751fb0a8275c75473131edaf683395d11ee03fad85a94ba458

Download Submit
\Windows\system\gfKJVfh.exe

Filesize
5.2MB

MD5
3255b23214eeb519e3ed773f8d162a87

SHA1
5d555ea6c9fec71b3dd043dc25a76309b08e5e0d

SHA256
9dc3bea0539c5b6db173721c157415eb70421b894f55bbb1a31534fc90e5e4c1

SHA512
5bcfb78cbf1a918ebeb22fa46c9ed7deff42ffb8cfbb8ceaac999c23e10910337c53bd02e668ad8fae932c6f83107f472ff64d892f342f3857f13dbc1eeed3f1

Download Submit
\Windows\system\mKLXUlZ.exe

Filesize
5.2MB

MD5
7822df11d541f5b7e69f47609ac0547c

SHA1
7d4d92e3d9bcf797cffe16ae22c289afe0ed64de

SHA256
6f75f1154bdbd58a43f9d5db63332bfdf61ef074156410e31d1c6c7ed9970640

SHA512
0a87f4035f3fff22d9fd4e71ee031d6a1fab3b2e5f94e3a84adf5dc5efa00a226ac24825fb9e13856276221897fdb12cc9f26efd9fce06338cddd7574933a2a7

Download Submit
\Windows\system\nVBuPrR.exe

Filesize
5.2MB

MD5
004071325d0baa9b9737685236217082

SHA1
f7b1f2fb8ae29a234918b1d6f62e06dfc077ddd3

SHA256
4789b9fc2bd941d7fdc7c9ad78697f36f222cc2192c89d122adfcd5fbb2c62a4

SHA512
2802b14a3a2d5aee86bf0f8169281c34a6544632a5436bd7c0f1c30922813cc9700105654c7a31da646ad8c52ef16fc830936548c536cc871910118e63b71caa

Download Submit
\Windows\system\uJQFskA.exe

Filesize
5.2MB

MD5
b6358012b7bfbfac027c926a9c0b431b

SHA1
bd681a4fb9749e62add99e073d88d76a9cb01f6d

SHA256
6e7163e35cf8a8497e9a9b0ac340a13a7c318f823c324ade195b5ae566f182cc

SHA512
864c09ea23e7175ae69770e7961220142cee689ec56e3c85c5c7bc3db5a1d1a0bef472ce1fd58615081f6b161a2e1bbb836a74e7333f486a3be5de606fcbf57e

Download Submit
memory/1188-151-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-15-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/1276-213-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/1304-155-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/1692-215-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/1692-25-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/1712-211-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1712-12-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1980-149-0x000000013F5D0000-0x000000013F921000-memory.dmp

Filesize
3.3MB

Download
memory/1984-237-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/1984-125-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/2020-152-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/2184-0-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2184-26-0x000000013F5D0000-0x000000013F921000-memory.dmp

Filesize
3.3MB

Download
memory/2184-124-0x0000000002270000-0x00000000025C1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-14-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2184-179-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/2184-88-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2184-178-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2184-35-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2184-156-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2184-76-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2184-68-0x0000000002270000-0x00000000025C1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-20-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-65-0x0000000002270000-0x00000000025C1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2184-150-0x0000000002270000-0x00000000025C1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-41-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2184-133-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2184-123-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/2204-225-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2204-70-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2424-153-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2496-154-0x000000013F2C0000-0x000000013F611000-memory.dmp

Filesize
3.3MB

Download
memory/2536-227-0x000000013FAF0000-0x000000013FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2536-71-0x000000013FAF0000-0x000000013FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2580-77-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2580-231-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2664-139-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2664-42-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2664-221-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2684-28-0x000000013F5D0000-0x000000013F921000-memory.dmp

Filesize
3.3MB

Download
memory/2684-217-0x000000013F5D0000-0x000000013F921000-memory.dmp

Filesize
3.3MB

Download
memory/2684-132-0x000000013F5D0000-0x000000013F921000-memory.dmp

Filesize
3.3MB

Download
memory/2772-229-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/2772-72-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/2788-223-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2788-56-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2796-219-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2796-36-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2876-89-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2876-234-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2964-147-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/3008-145-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-81-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-235-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download