cobaltstrike | fd49ad1971cc66df57875c8dcee2f985287e3b622242e5c2ea11b02421ae85da

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 07:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

8a776fe5b6c4b43c807c56d055c6a089
SHA1

49e59cce2e7f90dcb1e57cebd2016756fa8a578a
SHA256

fd49ad1971cc66df57875c8dcee2f985287e3b622242e5c2ea11b02421ae85da
SHA512

7709954258089181d2dcba70f4b36f046ccf4dfdf70b163e8ccb222a136e741df24e1a4962196c7275cdfbb5c571627a9056b0ef056b8a8b4bf466e81c6ae0cd
SSDEEP

49152:ROdWCCi7/rat56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lx:RWWBibC56utgpPFotBER/mQ32lUl

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b00000001560a-5.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015c69-16.dat	cobalt_reflective_dll
behavioral1/files/0x0029000000015c2f-12.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186a0-57.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b73-101.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b96-99.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b6a-91.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b42-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b15-73.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b33-70.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018ae2-66.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018ae8-63.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018ba2-108.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018698-50.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b4a-89.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b37-80.dat	cobalt_reflective_dll
behavioral1/files/0x0010000000015c3c-55.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cb9-31.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000165ae-40.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015c7c-38.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015c87-29.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001560a-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015c69-16.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0029000000015c2f-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00050000000186a0-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b73-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b96-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b6a-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b42-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b15-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b33-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018ae2-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018ae8-63.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018ba2-108.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0005000000018698-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b4a-89.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b37-80.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0010000000015c3c-55.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cb9-31.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00080000000165ae-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015c7c-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015c87-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral1/memory/2300-0-0x000000013F1B0000-0x000000013F501000-memory.dmp	UPX
behavioral1/files/0x000b00000001560a-5.dat	UPX
behavioral1/memory/2104-20-0x000000013FBC0000-0x000000013FF11000-memory.dmp	UPX
behavioral1/files/0x0009000000015c69-16.dat	UPX
behavioral1/files/0x0029000000015c2f-12.dat	UPX
behavioral1/memory/2992-8-0x000000013F400000-0x000000013F751000-memory.dmp	UPX
behavioral1/memory/2436-34-0x000000013F7E0000-0x000000013FB31000-memory.dmp	UPX
behavioral1/files/0x00050000000186a0-57.dat	UPX
behavioral1/memory/1124-104-0x000000013F9E0000-0x000000013FD31000-memory.dmp	UPX
behavioral1/files/0x0006000000018b73-101.dat	UPX
behavioral1/files/0x0006000000018b96-99.dat	UPX
behavioral1/files/0x0006000000018b6a-91.dat	UPX
behavioral1/memory/1236-85-0x000000013F270000-0x000000013F5C1000-memory.dmp	UPX
behavioral1/files/0x0006000000018b42-82.dat	UPX
behavioral1/memory/2348-74-0x000000013F8E0000-0x000000013FC31000-memory.dmp	UPX
behavioral1/files/0x0006000000018b15-73.dat	UPX
behavioral1/files/0x0006000000018b33-70.dat	UPX
behavioral1/files/0x0006000000018ae2-66.dat	UPX
behavioral1/files/0x0006000000018ae8-63.dat	UPX
behavioral1/memory/2300-133-0x000000013F1B0000-0x000000013F501000-memory.dmp	UPX
behavioral1/files/0x0006000000018ba2-108.dat	UPX
behavioral1/memory/2012-52-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	UPX
behavioral1/files/0x0005000000018698-50.dat	UPX
behavioral1/files/0x0006000000018b4a-89.dat	UPX
behavioral1/files/0x0006000000018b37-80.dat	UPX
behavioral1/memory/2856-79-0x000000013F7C0000-0x000000013FB11000-memory.dmp	UPX
behavioral1/files/0x0010000000015c3c-55.dat	UPX
behavioral1/memory/2572-141-0x000000013F670000-0x000000013F9C1000-memory.dmp	UPX
behavioral1/memory/2228-142-0x000000013F200000-0x000000013F551000-memory.dmp	UPX
behavioral1/memory/2436-140-0x000000013F7E0000-0x000000013FB31000-memory.dmp	UPX
behavioral1/memory/2556-139-0x000000013FBD0000-0x000000013FF21000-memory.dmp	UPX
behavioral1/memory/2300-135-0x000000013F1B0000-0x000000013F501000-memory.dmp	UPX
behavioral1/files/0x0007000000015cb9-31.dat	UPX
behavioral1/memory/2916-24-0x000000013FD30000-0x0000000140081000-memory.dmp	UPX
behavioral1/memory/2572-46-0x000000013F670000-0x000000013F9C1000-memory.dmp	UPX
behavioral1/memory/2228-44-0x000000013F200000-0x000000013F551000-memory.dmp	UPX
behavioral1/memory/2556-42-0x000000013FBD0000-0x000000013FF21000-memory.dmp	UPX
behavioral1/files/0x00080000000165ae-40.dat	UPX
behavioral1/files/0x0007000000015c7c-38.dat	UPX
behavioral1/memory/2012-143-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	UPX
behavioral1/memory/2856-146-0x000000013F7C0000-0x000000013FB11000-memory.dmp	UPX
behavioral1/memory/2408-145-0x000000013F570000-0x000000013F8C1000-memory.dmp	UPX
behavioral1/memory/1124-150-0x000000013F9E0000-0x000000013FD31000-memory.dmp	UPX
behavioral1/memory/2372-155-0x000000013F9C0000-0x000000013FD11000-memory.dmp	UPX
behavioral1/memory/528-149-0x000000013F6C0000-0x000000013FA11000-memory.dmp	UPX
behavioral1/memory/2220-156-0x000000013F130000-0x000000013F481000-memory.dmp	UPX
behavioral1/memory/2700-153-0x000000013F0F0000-0x000000013F441000-memory.dmp	UPX
behavioral1/memory/2816-154-0x000000013F8F0000-0x000000013FC41000-memory.dmp	UPX
behavioral1/memory/636-152-0x000000013F120000-0x000000013F471000-memory.dmp	UPX
behavioral1/memory/1956-151-0x000000013F580000-0x000000013F8D1000-memory.dmp	UPX
behavioral1/memory/1236-148-0x000000013F270000-0x000000013F5C1000-memory.dmp	UPX
behavioral1/memory/3052-147-0x000000013F830000-0x000000013FB81000-memory.dmp	UPX
behavioral1/memory/2348-144-0x000000013F8E0000-0x000000013FC31000-memory.dmp	UPX
behavioral1/files/0x0007000000015c87-29.dat	UPX
behavioral1/memory/2300-157-0x000000013F1B0000-0x000000013F501000-memory.dmp	UPX
behavioral1/memory/2992-202-0x000000013F400000-0x000000013F751000-memory.dmp	UPX
behavioral1/memory/2916-206-0x000000013FD30000-0x0000000140081000-memory.dmp	UPX
behavioral1/memory/2104-205-0x000000013FBC0000-0x000000013FF11000-memory.dmp	UPX
behavioral1/memory/2436-223-0x000000013F7E0000-0x000000013FB31000-memory.dmp	UPX
behavioral1/memory/2228-229-0x000000013F200000-0x000000013F551000-memory.dmp	UPX
behavioral1/memory/2856-233-0x000000013F7C0000-0x000000013FB11000-memory.dmp	UPX
behavioral1/memory/2348-232-0x000000013F8E0000-0x000000013FC31000-memory.dmp	UPX
behavioral1/memory/1124-237-0x000000013F9E0000-0x000000013FD31000-memory.dmp	UPX
behavioral1/memory/2572-246-0x000000013F670000-0x000000013F9C1000-memory.dmp	UPX

XMRig Miner payload 36 IoCs

miner

resource	yara_rule
behavioral1/memory/2104-20-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig
behavioral1/memory/2992-8-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/2300-133-0x000000013F1B0000-0x000000013F501000-memory.dmp	xmrig
behavioral1/memory/2572-141-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/2228-142-0x000000013F200000-0x000000013F551000-memory.dmp	xmrig
behavioral1/memory/2436-140-0x000000013F7E0000-0x000000013FB31000-memory.dmp	xmrig
behavioral1/memory/2556-139-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2300-135-0x000000013F1B0000-0x000000013F501000-memory.dmp	xmrig
behavioral1/memory/2916-24-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2012-143-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/2856-146-0x000000013F7C0000-0x000000013FB11000-memory.dmp	xmrig
behavioral1/memory/2408-145-0x000000013F570000-0x000000013F8C1000-memory.dmp	xmrig
behavioral1/memory/1124-150-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/2372-155-0x000000013F9C0000-0x000000013FD11000-memory.dmp	xmrig
behavioral1/memory/528-149-0x000000013F6C0000-0x000000013FA11000-memory.dmp	xmrig
behavioral1/memory/2220-156-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/2700-153-0x000000013F0F0000-0x000000013F441000-memory.dmp	xmrig
behavioral1/memory/2816-154-0x000000013F8F0000-0x000000013FC41000-memory.dmp	xmrig
behavioral1/memory/636-152-0x000000013F120000-0x000000013F471000-memory.dmp	xmrig
behavioral1/memory/1956-151-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/1236-148-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig
behavioral1/memory/3052-147-0x000000013F830000-0x000000013FB81000-memory.dmp	xmrig
behavioral1/memory/2348-144-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/2300-157-0x000000013F1B0000-0x000000013F501000-memory.dmp	xmrig
behavioral1/memory/2992-202-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/2916-206-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2104-205-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig
behavioral1/memory/2436-223-0x000000013F7E0000-0x000000013FB31000-memory.dmp	xmrig
behavioral1/memory/2228-229-0x000000013F200000-0x000000013F551000-memory.dmp	xmrig
behavioral1/memory/2856-233-0x000000013F7C0000-0x000000013FB11000-memory.dmp	xmrig
behavioral1/memory/2348-232-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/1124-237-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/2572-246-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/2012-245-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/2556-242-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/1236-235-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2992	poCuvQg.exe
2104	uDDyoCA.exe
2916	WnyasXj.exe
2436	agnpHZv.exe
2556	hmaKsUs.exe
2228	qoNXRSU.exe
2572	DXGbtXK.exe
2012	iAotjzr.exe
2348	xUZupqj.exe
2856	RnGqQjQ.exe
1236	QOzvDEM.exe
1124	bmabRwu.exe
636	EDJKlsU.exe
2816	tjxORXJ.exe
2220	SjFFpDg.exe
2408	TAfmHAb.exe
3052	uZTtsBg.exe
528	LMJfnxG.exe
1956	JZYSxvu.exe
2700	PMDvBEN.exe
2372	uAdSanI.exe

Loads dropped DLL 21 IoCs

pid	Process
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2300-0-0x000000013F1B0000-0x000000013F501000-memory.dmp	upx
behavioral1/files/0x000b00000001560a-5.dat	upx
behavioral1/memory/2104-20-0x000000013FBC0000-0x000000013FF11000-memory.dmp	upx
behavioral1/files/0x0009000000015c69-16.dat	upx
behavioral1/files/0x0029000000015c2f-12.dat	upx
behavioral1/memory/2992-8-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/2436-34-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
behavioral1/files/0x00050000000186a0-57.dat	upx
behavioral1/memory/1124-104-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/files/0x0006000000018b73-101.dat	upx
behavioral1/files/0x0006000000018b96-99.dat	upx
behavioral1/files/0x0006000000018b6a-91.dat	upx
behavioral1/memory/1236-85-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
behavioral1/files/0x0006000000018b42-82.dat	upx
behavioral1/memory/2348-74-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/files/0x0006000000018b15-73.dat	upx
behavioral1/files/0x0006000000018b33-70.dat	upx
behavioral1/files/0x0006000000018ae2-66.dat	upx
behavioral1/files/0x0006000000018ae8-63.dat	upx
behavioral1/memory/2300-133-0x000000013F1B0000-0x000000013F501000-memory.dmp	upx
behavioral1/files/0x0006000000018ba2-108.dat	upx
behavioral1/memory/2012-52-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/files/0x0005000000018698-50.dat	upx
behavioral1/files/0x0006000000018b4a-89.dat	upx
behavioral1/files/0x0006000000018b37-80.dat	upx
behavioral1/memory/2856-79-0x000000013F7C0000-0x000000013FB11000-memory.dmp	upx
behavioral1/files/0x0010000000015c3c-55.dat	upx
behavioral1/memory/2572-141-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
behavioral1/memory/2228-142-0x000000013F200000-0x000000013F551000-memory.dmp	upx
behavioral1/memory/2436-140-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
behavioral1/memory/2556-139-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
behavioral1/memory/2300-135-0x000000013F1B0000-0x000000013F501000-memory.dmp	upx
behavioral1/files/0x0007000000015cb9-31.dat	upx
behavioral1/memory/2916-24-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/memory/2572-46-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
behavioral1/memory/2228-44-0x000000013F200000-0x000000013F551000-memory.dmp	upx
behavioral1/memory/2556-42-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
behavioral1/files/0x00080000000165ae-40.dat	upx
behavioral1/files/0x0007000000015c7c-38.dat	upx
behavioral1/memory/2012-143-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/memory/2856-146-0x000000013F7C0000-0x000000013FB11000-memory.dmp	upx
behavioral1/memory/2408-145-0x000000013F570000-0x000000013F8C1000-memory.dmp	upx
behavioral1/memory/1124-150-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/2372-155-0x000000013F9C0000-0x000000013FD11000-memory.dmp	upx
behavioral1/memory/528-149-0x000000013F6C0000-0x000000013FA11000-memory.dmp	upx
behavioral1/memory/2220-156-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/2700-153-0x000000013F0F0000-0x000000013F441000-memory.dmp	upx
behavioral1/memory/2816-154-0x000000013F8F0000-0x000000013FC41000-memory.dmp	upx
behavioral1/memory/636-152-0x000000013F120000-0x000000013F471000-memory.dmp	upx
behavioral1/memory/1956-151-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/1236-148-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
behavioral1/memory/3052-147-0x000000013F830000-0x000000013FB81000-memory.dmp	upx
behavioral1/memory/2348-144-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/files/0x0007000000015c87-29.dat	upx
behavioral1/memory/2300-157-0x000000013F1B0000-0x000000013F501000-memory.dmp	upx
behavioral1/memory/2992-202-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/2916-206-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/memory/2104-205-0x000000013FBC0000-0x000000013FF11000-memory.dmp	upx
behavioral1/memory/2436-223-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
behavioral1/memory/2228-229-0x000000013F200000-0x000000013F551000-memory.dmp	upx
behavioral1/memory/2856-233-0x000000013F7C0000-0x000000013FB11000-memory.dmp	upx
behavioral1/memory/2348-232-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/memory/1124-237-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/2572-246-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\poCuvQg.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\agnpHZv.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uZTtsBg.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LMJfnxG.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JZYSxvu.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uAdSanI.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QOzvDEM.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uDDyoCA.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hmaKsUs.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qoNXRSU.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iAotjzr.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xUZupqj.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TAfmHAb.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RnGqQjQ.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bmabRwu.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WnyasXj.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DXGbtXK.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EDJKlsU.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PMDvBEN.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tjxORXJ.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SjFFpDg.exe	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2992	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	29
PID 2300 wrote to memory of 2992	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	29
PID 2300 wrote to memory of 2992	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	29
PID 2300 wrote to memory of 2104	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	30
PID 2300 wrote to memory of 2104	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	30
PID 2300 wrote to memory of 2104	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	30
PID 2300 wrote to memory of 2916	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	31
PID 2300 wrote to memory of 2916	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	31
PID 2300 wrote to memory of 2916	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	31
PID 2300 wrote to memory of 2556	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	32
PID 2300 wrote to memory of 2556	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	32
PID 2300 wrote to memory of 2556	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	32
PID 2300 wrote to memory of 2436	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	33
PID 2300 wrote to memory of 2436	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	33
PID 2300 wrote to memory of 2436	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	33
PID 2300 wrote to memory of 2572	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	34
PID 2300 wrote to memory of 2572	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	34
PID 2300 wrote to memory of 2572	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	34
PID 2300 wrote to memory of 2228	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	35
PID 2300 wrote to memory of 2228	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	35
PID 2300 wrote to memory of 2228	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	35
PID 2300 wrote to memory of 2012	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	36
PID 2300 wrote to memory of 2012	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	36
PID 2300 wrote to memory of 2012	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	36
PID 2300 wrote to memory of 2348	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	37
PID 2300 wrote to memory of 2348	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	37
PID 2300 wrote to memory of 2348	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	37
PID 2300 wrote to memory of 2408	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	38
PID 2300 wrote to memory of 2408	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	38
PID 2300 wrote to memory of 2408	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	38
PID 2300 wrote to memory of 2856	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	39
PID 2300 wrote to memory of 2856	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	39
PID 2300 wrote to memory of 2856	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	39
PID 2300 wrote to memory of 3052	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	40
PID 2300 wrote to memory of 3052	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	40
PID 2300 wrote to memory of 3052	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	40
PID 2300 wrote to memory of 1236	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	41
PID 2300 wrote to memory of 1236	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	41
PID 2300 wrote to memory of 1236	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	41
PID 2300 wrote to memory of 528	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	42
PID 2300 wrote to memory of 528	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	42
PID 2300 wrote to memory of 528	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	42
PID 2300 wrote to memory of 1124	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	43
PID 2300 wrote to memory of 1124	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	43
PID 2300 wrote to memory of 1124	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	43
PID 2300 wrote to memory of 1956	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	44
PID 2300 wrote to memory of 1956	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	44
PID 2300 wrote to memory of 1956	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	44
PID 2300 wrote to memory of 636	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	45
PID 2300 wrote to memory of 636	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	45
PID 2300 wrote to memory of 636	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	45
PID 2300 wrote to memory of 2700	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	46
PID 2300 wrote to memory of 2700	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	46
PID 2300 wrote to memory of 2700	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	46
PID 2300 wrote to memory of 2816	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	47
PID 2300 wrote to memory of 2816	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	47
PID 2300 wrote to memory of 2816	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	47
PID 2300 wrote to memory of 2372	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	48
PID 2300 wrote to memory of 2372	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	48
PID 2300 wrote to memory of 2372	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	48
PID 2300 wrote to memory of 2220	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	49
PID 2300 wrote to memory of 2220	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	49
PID 2300 wrote to memory of 2220	2300	2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_8a776fe5b6c4b43c807c56d055c6a089_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\System\poCuvQg.exe
  C:\Windows\System\poCuvQg.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\uDDyoCA.exe
  C:\Windows\System\uDDyoCA.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\WnyasXj.exe
  C:\Windows\System\WnyasXj.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\hmaKsUs.exe
  C:\Windows\System\hmaKsUs.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\agnpHZv.exe
  C:\Windows\System\agnpHZv.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\DXGbtXK.exe
  C:\Windows\System\DXGbtXK.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\qoNXRSU.exe
  C:\Windows\System\qoNXRSU.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\iAotjzr.exe
  C:\Windows\System\iAotjzr.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\xUZupqj.exe
  C:\Windows\System\xUZupqj.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\TAfmHAb.exe
  C:\Windows\System\TAfmHAb.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\RnGqQjQ.exe
  C:\Windows\System\RnGqQjQ.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\uZTtsBg.exe
  C:\Windows\System\uZTtsBg.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\QOzvDEM.exe
  C:\Windows\System\QOzvDEM.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\LMJfnxG.exe
  C:\Windows\System\LMJfnxG.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System\bmabRwu.exe
  C:\Windows\System\bmabRwu.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\System\JZYSxvu.exe
  C:\Windows\System\JZYSxvu.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\EDJKlsU.exe
  C:\Windows\System\EDJKlsU.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System\PMDvBEN.exe
  C:\Windows\System\PMDvBEN.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\tjxORXJ.exe
  C:\Windows\System\tjxORXJ.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\uAdSanI.exe
  C:\Windows\System\uAdSanI.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\SjFFpDg.exe
  C:\Windows\System\SjFFpDg.exe
  2⤵
  - Executes dropped EXE
  PID:2220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\EDJKlsU.exe

Filesize
5.2MB

MD5
0cea653b4816b69c8756a37599d386c7

SHA1
d05f15302bf78db24960bb3156c96cebad7ce0dd

SHA256
d053c61389e0e5404ad7c6e5bf46dda6466540a7d9cea20a1b3f00eb00f1806a

SHA512
54d83446237f73355638f9a0ef8b854c38e3b80a009a995d95dd1c4c4a465e52e9aec7adae4fcb224ea09c7c829cdecfd4bd65fe89ed5c991fa4c675e1f942fd

Download Submit
C:\Windows\system\QOzvDEM.exe

Filesize
5.2MB

MD5
148e3fe51d9777819ffb9bf337b3d859

SHA1
29a415e0e2d8c28534e13a62b65411691ef112cf

SHA256
764add5800d56773e80e8c8185cd4722cd40c40a9fb246835bf198c4ae0ab4a1

SHA512
c366ac7973393f5ff8111ab982d6b3027e9ba912ff977586cbdba324142c9b097550c25f7bd88cdd516e3ed1db5a7b5a51526fa241b08430dde9ad023dc6836c

Download Submit
C:\Windows\system\RnGqQjQ.exe

Filesize
5.2MB

MD5
f95d32202ea565b23f2daa0560bbbf80

SHA1
517e62fe6decdde9fd86d40e5133a415c8388fe2

SHA256
a75677003cbe1391256b939bf09a2be5f0479c237a9335d5583a41b477d18a69

SHA512
ebd2043b9e160660eb93def09af62ab92004141ccf5ab42e413c5bb6f3e3e708b27fa39eb30005a58fca449fab1b7749d51b4f17bdfeb57270d2eed0f8c61a9e

Download Submit
C:\Windows\system\SjFFpDg.exe

Filesize
5.2MB

MD5
1ca5092d29c1722f09c7fde4ff474d7b

SHA1
ba0ab65b6a3cca5b2c23e20526723d6124b5921b

SHA256
8b6627ba3a4d44a84d41ad756cfca5d0062480f623fe0e0dd465aca2ac24b1fb

SHA512
65009ccb433b1b63f20dc350dd743800b13f821cc39d1ac11fa39557d174820a729b2960b856405e0c992d46f2a1f06f7260bc224ba43118754c965a62048270

Download Submit
C:\Windows\system\WnyasXj.exe

Filesize
5.2MB

MD5
af2835bc7761d6ae54cee597154ddd2f

SHA1
c07830c72f8669bc5e2f2a78ca7c8ee89876159a

SHA256
b1784afc1ac03f902039b6ed1d204de256be07f1344941e0b7e5f13b117a387c

SHA512
181489e5a76aa5581619d2a66db3a4285fa955a8d22d20ed2dc5c56b5315eb9345239148924c3eaa81f9495728a6b36c7e7bc5be82a4096db424b8bdd71428e3

Download Submit
C:\Windows\system\agnpHZv.exe

Filesize
5.2MB

MD5
bb17f718494d55885fb87fe30eadd01a

SHA1
368931ad9ca53a0d3ac95dfbb88c3b58f7b7823f

SHA256
f33e92bc899dafce677ca21a14fd98bb3ccc83dc7a460725bff2116b765ae0c9

SHA512
864e55182266b77968f6ec3b24d68cebc9f5206fe2ea92bd52ef0b8ab7818353c9baa7702c8b3f4cb8ffb9f27412e212dd8495406cf643d7d3eebd3f87fcee87

Download Submit
C:\Windows\system\bmabRwu.exe

Filesize
5.2MB

MD5
2a89dba612cd634c76860b8ca1e8b505

SHA1
6f0631a77ddf0592c1a1a4b851275e2f4563b511

SHA256
0f526042bd2ca0957e6b377f6d33978ae0c2761d45a2a3c330c7a6b2bbdf6edb

SHA512
f3ab67a44b87193ff43e7201b68c2ffcf3abbfbff4488c448a83abd2a937e649632ce36ceb98d304ca8093926b5023a57949939d8b719348b66b12ff7dffbd90

Download Submit
C:\Windows\system\hmaKsUs.exe

Filesize
5.2MB

MD5
21cf3a5257ff299bdf71af6490e6cb9e

SHA1
e5eb10d3381ef6cb229dd4e5021937afaee131df

SHA256
4d8577ff7bf6502b7b2eea2ffd3beed928647f7d9235f38cd07d5f5dcfc479f0

SHA512
8d10882b05ad9cf570ed6c4e82d4a9b95caca1ed18ad2d2c370341d2065045f795a43afef24d37f168d70eb334ab5cb95d88ea9df39d3ee26e5bf577dd4002bf

Download Submit
C:\Windows\system\iAotjzr.exe

Filesize
5.2MB

MD5
d8d8fd7f2d9ecae457625d04c03c120c

SHA1
cf5c6e91dd9fa93680929593588899cb9718bfa4

SHA256
7af79e41d7d9b32a7408625cd4b3a520d5d3e99efe96f1d96ff5795dd978e3ee

SHA512
3334eefbab35f34b80f61f72971136694fda967c2f74d1cef08e4d4abb9fa97d1bddbf5b1f35bbf64c1436fcd73ae0d6c37b849f4162b0005ca5adc956f8a7fb

Download Submit
C:\Windows\system\poCuvQg.exe

Filesize
5.2MB

MD5
ef114524535d0f7f9f9b9e760fc34b85

SHA1
6af96423d126422c3b60ae91157a3b77f9e4ffda

SHA256
6965750d56c0c7d3bfbe20b95733608a2363f2a41fca5a8bf006237fd812f11b

SHA512
9b7dee3e9db39cfc1f3e4db7e523c695b40428878950fe2d57fb54701eb55b9a17509e88b3d5c5ed82d8cd3eded5ed8c3d803262edf68738465edd18d464487b

Download Submit
C:\Windows\system\qoNXRSU.exe

Filesize
5.2MB

MD5
47a2139afe3777af26b9ff77a75ebc28

SHA1
43505c28ebb5a850bf1007edefd5254a4ea55c6a

SHA256
cfe07a7825be141b3d75e647d6eb30aeeb77fd97071ad998e82a2085f7a0e55b

SHA512
8e27472278d4dea117833e69e87fbad14f4995c2c05340e93ab272cbdf1d3ce494a1a1898014a6acc62d979959d1e228c7ac4d2bab589490fc9bb0695ed4a8ca

Download Submit
C:\Windows\system\tjxORXJ.exe

Filesize
5.2MB

MD5
4192f1c380af72539d917dbcf6e33b75

SHA1
76840b4749a588a5c286cc772c1ac65b9fea1a48

SHA256
28b25d3322eb7fa28eeae914bfbf1c9f3bbc22db4f411f53cfb18f30146e7c43

SHA512
4327ad212df65255ae35c93bdf76c946ade4699f6ddfa85a0d2b915d5b8d323e63eae92236e943423da91749aaeed8df689e36aaa50c829783d7603a2736468b

Download Submit
C:\Windows\system\uDDyoCA.exe

Filesize
5.2MB

MD5
7958ea65804bcc6de2c94c162cfcbff6

SHA1
2169992f07b642709b8f714be956a809b96f7fa7

SHA256
4cf96d325e1e148fee2acf10306287683558485d8502ca3f7e94322243b5012a

SHA512
179b8761b71094eed0d1fa26592a05889cae7e0b43e81312a701730e3a2c8d4469c2886d91695a30b176e60e8a6e1b9a624fb601f4bd1b703ba2dbb008a4ca82

Download Submit
C:\Windows\system\xUZupqj.exe

Filesize
5.2MB

MD5
a0b7ce93b0d97d72ddeb5f2715369fef

SHA1
60fa6c137a551855f0188f88721b98c2c461df5e

SHA256
85708c5ae4f2a01fe3b7b573ec5aea43e99dd72943c32711ea831c40ff717e7d

SHA512
49cbe7120f42b6394efa00c3353acb10c4bf0878f9a26a29ad2958a44ebffe9688dc6ae7325f9bc2ca95e112e929c3c9a5a57768d82b7df087c9c076d4495255

Download Submit
\Windows\system\DXGbtXK.exe

Filesize
5.2MB

MD5
bf901ae074bacddc2ff13ccc34487e66

SHA1
319b86a20222447da7f8fd8548db0d9a08e5a5a3

SHA256
fe4c32ce949dad36e38442bfa621cff3d09f4787bfdd7346d6b4016f3e9c6485

SHA512
78aa1fb7fd1d95fb1475d4646a97056e10d64ab7ac14792f8fd30299f54e8333b5a0ed0ce6a59118260d1c44f305d0bd675f97d48f3eff2db8296eb359b72ff0

Download Submit
\Windows\system\JZYSxvu.exe

Filesize
5.2MB

MD5
d97c156860fd59278c6d3fe9ee39d88c

SHA1
a6fb4b52e48cc05f38b9ccbc708d81adce0cb34c

SHA256
2c3c9ac39e0fd6350dcb2eb31d497b4f099f399eb9926f33ee3c8477e89609de

SHA512
5aa9b05aa38b7f3abc041e7d090b56f3e8c704e038028e3eac597337274be8f38c9680bfe4721122d47a06a419472dd5738f60e803fdcda1c3f6c162cd1b3ffa

Download Submit
\Windows\system\LMJfnxG.exe

Filesize
5.2MB

MD5
2874d7971a350def6b8bcc7f52f0a582

SHA1
ddfed46bb8f07b11be7659950ab6899971d8b5fe

SHA256
c77c8b1439b215c6765f3856970cba4c06016b26fe4015a9c0af702b0b257c95

SHA512
be0c036231b8abcf6e54562c26420a11fcc9619e7312fb4ebec7bc93cf338540f93ed7a74fd9dae0bbdb1442a82be38585110fa8600be79dfeb957d995d61915

Download Submit
\Windows\system\PMDvBEN.exe

Filesize
5.2MB

MD5
4eb26bec5f0dc63a310fa196212efb3d

SHA1
e1f311af2c63695ea33392fceb6752adc13b3141

SHA256
accdd6f558a0d5aab80011de8a69a4393f87969dec5b1e6571a47da7ce526efe

SHA512
422d282940440a03f3617c9dc58e343a3a7e7817f146a7eba94e824600d853bcd15a60193187271e28bc0f49270e1b944c75f506df0f0fe4c1654ac0d5e5170d

Download Submit
\Windows\system\TAfmHAb.exe

Filesize
5.2MB

MD5
4dee8963d6e53bb728bac31295cc2b7a

SHA1
3578003c2d4c8f5d3280dd74f006c9fda6e6534c

SHA256
b45e4694061279a672d8d5704e75cb4f177e11f15024a2fa4a6471731537626d

SHA512
d4b7011b284b1837cf0eb2f53e003b0453e3c542181a738967589cda3c5b6911c98a14965e0c1c64f9bfdb71e35bf0b1afd1189032541cfff8d9c559f0b11524

Download Submit
\Windows\system\uAdSanI.exe

Filesize
5.2MB

MD5
b1720a3c06cde7e0ad12aa2a4e08ce10

SHA1
e6b58a932e52f47ec20596c93543c9d625be7a5b

SHA256
02dcfae9b53898f3da3bdadea0d7f9388c0f1ece81e2db76e855ef5b44208ab6

SHA512
afbda83689269e9a649557bf9d03ca94fdb522a5eef7de99f3c59915fbd86d2335a7c348c729ff00bbd101014ba31f00470ea9b58d07b84132db137acee81c4a

Download Submit
\Windows\system\uZTtsBg.exe

Filesize
5.2MB

MD5
3ada059bbe43e177ea990f7fd700b5ac

SHA1
f65e8196679ed602f847a0152d25787d177ac941

SHA256
427b107aeff0b1915b0103b5389beadb62f8ebed46bdea1255a2ba6f67040d40

SHA512
5cfeebcf1320e9133dabd2ba4307fee7e5e08375725e521e4790133d1128d77a24730bc486c833bed63e9c91366b94c72636c9cf1fda0b7261dbcc3b621f88a0

Download Submit
memory/528-149-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/636-152-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/1124-150-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/1124-237-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/1124-104-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/1236-148-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1236-85-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1236-235-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1956-151-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-143-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-52-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-245-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-205-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2104-20-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2220-156-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2228-142-0x000000013F200000-0x000000013F551000-memory.dmp

Filesize
3.3MB

Download
memory/2228-44-0x000000013F200000-0x000000013F551000-memory.dmp

Filesize
3.3MB

Download
memory/2228-229-0x000000013F200000-0x000000013F551000-memory.dmp

Filesize
3.3MB

Download
memory/2300-157-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download
memory/2300-25-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2300-19-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2300-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2300-51-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-90-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-135-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download
memory/2300-107-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-43-0x0000000002430000-0x0000000002781000-memory.dmp

Filesize
3.3MB

Download
memory/2300-103-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2300-81-0x0000000002430000-0x0000000002781000-memory.dmp

Filesize
3.3MB

Download
memory/2300-98-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/2300-41-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2300-109-0x0000000002430000-0x0000000002781000-memory.dmp

Filesize
3.3MB

Download
memory/2300-133-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download
memory/2300-0-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download
memory/2300-30-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2300-94-0x000000013F7C0000-0x000000013FB11000-memory.dmp

Filesize
3.3MB

Download
memory/2300-75-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download
memory/2300-134-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2348-144-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2348-74-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2348-232-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2372-155-0x000000013F9C0000-0x000000013FD11000-memory.dmp

Filesize
3.3MB

Download
memory/2408-145-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2436-140-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2436-34-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2436-223-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2556-242-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2556-139-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2556-42-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2572-141-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2572-46-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2572-246-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2700-153-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/2816-154-0x000000013F8F0000-0x000000013FC41000-memory.dmp

Filesize
3.3MB

Download
memory/2856-146-0x000000013F7C0000-0x000000013FB11000-memory.dmp

Filesize
3.3MB

Download
memory/2856-79-0x000000013F7C0000-0x000000013FB11000-memory.dmp

Filesize
3.3MB

Download
memory/2856-233-0x000000013F7C0000-0x000000013FB11000-memory.dmp

Filesize
3.3MB

Download
memory/2916-24-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2916-206-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2992-8-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2992-202-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/3052-147-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download