cobaltstrike | 193ae54886dfdd5490c2e9be29c6e86ee938af21684c9cd0d5cfa2667707c75b

Analysis

max time kernel
137s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

1a252e38b32954baaaccdf9e4e510db6
SHA1

5e2be8f5b1eece01b069c1b99fb5275b779aef54
SHA256

193ae54886dfdd5490c2e9be29c6e86ee938af21684c9cd0d5cfa2667707c75b
SHA512

78a58b6111dc6aa9671679c72bc87b4e5f76f11c997680ed1ffd5f7f59b15413370a8bed2f65b9a077d475c563cfcb3a24ce455d5ed427e16cfb1b047d39c3ae
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU9:Q+856utgpPF8u/79

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000013420-3.dat	cobalt_reflective_dll
behavioral1/files/0x003a000000013a84-7.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014186-9.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014207-23.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014228-27.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014246-38.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001471a-43.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001487f-50.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014a9a-59.dat	cobalt_reflective_dll
behavioral1/files/0x0038000000013acb-66.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014b18-73.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014b4c-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014e71-91.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014bbc-89.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001564f-118.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015653-117.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015677-130.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015684-133.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001565d-125.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001535e-116.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014fa2-103.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b000000013420-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x003a000000013a84-7.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014186-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014207-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014228-27.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014246-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000800000001471a-43.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001487f-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014a9a-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0038000000013acb-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014b18-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014b4c-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014e71-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014bbc-89.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001564f-118.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015653-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015677-130.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015684-133.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001565d-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001535e-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014fa2-103.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 55 IoCs

resource	yara_rule
behavioral1/memory/1988-2-0x000000013F5E0000-0x000000013F934000-memory.dmp	UPX
behavioral1/files/0x000b000000013420-3.dat	UPX
behavioral1/files/0x003a000000013a84-7.dat	UPX
behavioral1/files/0x0007000000014186-9.dat	UPX
behavioral1/memory/2980-20-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
behavioral1/memory/2192-21-0x000000013F710000-0x000000013FA64000-memory.dmp	UPX
behavioral1/memory/2604-22-0x000000013F9D0000-0x000000013FD24000-memory.dmp	UPX
behavioral1/files/0x0007000000014207-23.dat	UPX
behavioral1/files/0x0007000000014228-27.dat	UPX
behavioral1/memory/2488-35-0x000000013FB90000-0x000000013FEE4000-memory.dmp	UPX
behavioral1/memory/2688-33-0x000000013FF00000-0x0000000140254000-memory.dmp	UPX
behavioral1/files/0x0007000000014246-38.dat	UPX
behavioral1/memory/2396-42-0x000000013F400000-0x000000013F754000-memory.dmp	UPX
behavioral1/files/0x000800000001471a-43.dat	UPX
behavioral1/memory/2372-55-0x000000013F650000-0x000000013F9A4000-memory.dmp	UPX
behavioral1/memory/2484-56-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
behavioral1/files/0x000600000001487f-50.dat	UPX
behavioral1/files/0x0006000000014a9a-59.dat	UPX
behavioral1/memory/2492-63-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/files/0x0038000000013acb-66.dat	UPX
behavioral1/memory/2996-72-0x000000013FD30000-0x0000000140084000-memory.dmp	UPX
behavioral1/files/0x0006000000014b18-73.dat	UPX
behavioral1/memory/2708-79-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
behavioral1/memory/2704-86-0x000000013F8C0000-0x000000013FC14000-memory.dmp	UPX
behavioral1/files/0x0006000000014b4c-82.dat	UPX
behavioral1/memory/1988-68-0x000000013F5E0000-0x000000013F934000-memory.dmp	UPX
behavioral1/files/0x0006000000014e71-91.dat	UPX
behavioral1/memory/2612-97-0x000000013F8C0000-0x000000013FC14000-memory.dmp	UPX
behavioral1/memory/2028-99-0x000000013F270000-0x000000013F5C4000-memory.dmp	UPX
behavioral1/files/0x0006000000014bbc-89.dat	UPX
behavioral1/files/0x000600000001564f-118.dat	UPX
behavioral1/files/0x0006000000015653-117.dat	UPX
behavioral1/files/0x0006000000015677-130.dat	UPX
behavioral1/files/0x0006000000015684-133.dat	UPX
behavioral1/files/0x000600000001565d-125.dat	UPX
behavioral1/files/0x000600000001535e-116.dat	UPX
behavioral1/files/0x0006000000014fa2-103.dat	UPX
behavioral1/memory/2372-138-0x000000013F650000-0x000000013F9A4000-memory.dmp	UPX
behavioral1/memory/2492-139-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/memory/2612-142-0x000000013F8C0000-0x000000013FC14000-memory.dmp	UPX
behavioral1/memory/2028-143-0x000000013F270000-0x000000013F5C4000-memory.dmp	UPX
behavioral1/memory/2980-145-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
behavioral1/memory/2192-146-0x000000013F710000-0x000000013FA64000-memory.dmp	UPX
behavioral1/memory/2604-147-0x000000013F9D0000-0x000000013FD24000-memory.dmp	UPX
behavioral1/memory/2688-148-0x000000013FF00000-0x0000000140254000-memory.dmp	UPX
behavioral1/memory/2488-149-0x000000013FB90000-0x000000013FEE4000-memory.dmp	UPX
behavioral1/memory/2396-150-0x000000013F400000-0x000000013F754000-memory.dmp	UPX
behavioral1/memory/2484-151-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
behavioral1/memory/2372-152-0x000000013F650000-0x000000013F9A4000-memory.dmp	UPX
behavioral1/memory/2492-153-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/memory/2996-154-0x000000013FD30000-0x0000000140084000-memory.dmp	UPX
behavioral1/memory/2708-155-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
behavioral1/memory/2704-156-0x000000013F8C0000-0x000000013FC14000-memory.dmp	UPX
behavioral1/memory/2612-157-0x000000013F8C0000-0x000000013FC14000-memory.dmp	UPX
behavioral1/memory/2028-158-0x000000013F270000-0x000000013F5C4000-memory.dmp	UPX

XMRig Miner payload 58 IoCs

miner

resource	yara_rule
behavioral1/memory/1988-2-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
behavioral1/files/0x000b000000013420-3.dat	xmrig
behavioral1/files/0x003a000000013a84-7.dat	xmrig
behavioral1/files/0x0007000000014186-9.dat	xmrig
behavioral1/memory/2980-20-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/2192-21-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/2604-22-0x000000013F9D0000-0x000000013FD24000-memory.dmp	xmrig
behavioral1/files/0x0007000000014207-23.dat	xmrig
behavioral1/files/0x0007000000014228-27.dat	xmrig
behavioral1/memory/2488-35-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/2688-33-0x000000013FF00000-0x0000000140254000-memory.dmp	xmrig
behavioral1/files/0x0007000000014246-38.dat	xmrig
behavioral1/memory/2396-42-0x000000013F400000-0x000000013F754000-memory.dmp	xmrig
behavioral1/files/0x000800000001471a-43.dat	xmrig
behavioral1/memory/2372-55-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/memory/2484-56-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/files/0x000600000001487f-50.dat	xmrig
behavioral1/files/0x0006000000014a9a-59.dat	xmrig
behavioral1/memory/2492-63-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/files/0x0038000000013acb-66.dat	xmrig
behavioral1/memory/2996-72-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/files/0x0006000000014b18-73.dat	xmrig
behavioral1/memory/2708-79-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/1988-78-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/2704-86-0x000000013F8C0000-0x000000013FC14000-memory.dmp	xmrig
behavioral1/memory/1988-85-0x00000000024B0000-0x0000000002804000-memory.dmp	xmrig
behavioral1/files/0x0006000000014b4c-82.dat	xmrig
behavioral1/memory/1988-68-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
behavioral1/files/0x0006000000014e71-91.dat	xmrig
behavioral1/memory/2612-97-0x000000013F8C0000-0x000000013FC14000-memory.dmp	xmrig
behavioral1/memory/2028-99-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
behavioral1/files/0x0006000000014bbc-89.dat	xmrig
behavioral1/files/0x000600000001564f-118.dat	xmrig
behavioral1/files/0x0006000000015653-117.dat	xmrig
behavioral1/files/0x0006000000015677-130.dat	xmrig
behavioral1/files/0x0006000000015684-133.dat	xmrig
behavioral1/files/0x000600000001565d-125.dat	xmrig
behavioral1/files/0x000600000001535e-116.dat	xmrig
behavioral1/files/0x0006000000014fa2-103.dat	xmrig
behavioral1/memory/2372-138-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/memory/2492-139-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/memory/2612-142-0x000000013F8C0000-0x000000013FC14000-memory.dmp	xmrig
behavioral1/memory/2028-143-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
behavioral1/memory/1988-144-0x000000013F1B0000-0x000000013F504000-memory.dmp	xmrig
behavioral1/memory/2980-145-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/2192-146-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/2604-147-0x000000013F9D0000-0x000000013FD24000-memory.dmp	xmrig
behavioral1/memory/2688-148-0x000000013FF00000-0x0000000140254000-memory.dmp	xmrig
behavioral1/memory/2488-149-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/2396-150-0x000000013F400000-0x000000013F754000-memory.dmp	xmrig
behavioral1/memory/2484-151-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/memory/2372-152-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/memory/2492-153-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/memory/2996-154-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/2708-155-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/2704-156-0x000000013F8C0000-0x000000013FC14000-memory.dmp	xmrig
behavioral1/memory/2612-157-0x000000013F8C0000-0x000000013FC14000-memory.dmp	xmrig
behavioral1/memory/2028-158-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2980	LGkmTiJ.exe
2192	sXDSyEK.exe
2604	pRKSxIQ.exe
2688	imrggZj.exe
2488	aSqCMMu.exe
2396	GfZKoxw.exe
2484	lxDvPUA.exe
2372	eykwBjZ.exe
2492	FZXkyni.exe
2996	dHUfzDw.exe
2708	raFUxuo.exe
2704	yXfNVEw.exe
2612	ugQLMos.exe
2028	dvBcycH.exe
1600	WzGkizV.exe
2280	IEfSjTj.exe
2292	loGapqh.exe
2304	aRCTljF.exe
2276	eEddxtM.exe
356	QyUDlkp.exe
296	zNoyBbp.exe

Loads dropped DLL 21 IoCs

pid	Process
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1988-2-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/files/0x000b000000013420-3.dat	upx
behavioral1/files/0x003a000000013a84-7.dat	upx
behavioral1/files/0x0007000000014186-9.dat	upx
behavioral1/memory/2980-20-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/2192-21-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/2604-22-0x000000013F9D0000-0x000000013FD24000-memory.dmp	upx
behavioral1/files/0x0007000000014207-23.dat	upx
behavioral1/files/0x0007000000014228-27.dat	upx
behavioral1/memory/2488-35-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/memory/2688-33-0x000000013FF00000-0x0000000140254000-memory.dmp	upx
behavioral1/files/0x0007000000014246-38.dat	upx
behavioral1/memory/2396-42-0x000000013F400000-0x000000013F754000-memory.dmp	upx
behavioral1/files/0x000800000001471a-43.dat	upx
behavioral1/memory/2372-55-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
behavioral1/memory/2484-56-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/files/0x000600000001487f-50.dat	upx
behavioral1/files/0x0006000000014a9a-59.dat	upx
behavioral1/memory/2492-63-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/files/0x0038000000013acb-66.dat	upx
behavioral1/memory/2996-72-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/files/0x0006000000014b18-73.dat	upx
behavioral1/memory/2708-79-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/2704-86-0x000000013F8C0000-0x000000013FC14000-memory.dmp	upx
behavioral1/files/0x0006000000014b4c-82.dat	upx
behavioral1/memory/1988-68-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/files/0x0006000000014e71-91.dat	upx
behavioral1/memory/2612-97-0x000000013F8C0000-0x000000013FC14000-memory.dmp	upx
behavioral1/memory/2028-99-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
behavioral1/files/0x0006000000014bbc-89.dat	upx
behavioral1/files/0x000600000001564f-118.dat	upx
behavioral1/files/0x0006000000015653-117.dat	upx
behavioral1/files/0x0006000000015677-130.dat	upx
behavioral1/files/0x0006000000015684-133.dat	upx
behavioral1/files/0x000600000001565d-125.dat	upx
behavioral1/files/0x000600000001535e-116.dat	upx
behavioral1/files/0x0006000000014fa2-103.dat	upx
behavioral1/memory/2372-138-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
behavioral1/memory/2492-139-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/memory/2612-142-0x000000013F8C0000-0x000000013FC14000-memory.dmp	upx
behavioral1/memory/2028-143-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
behavioral1/memory/2980-145-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/2192-146-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/2604-147-0x000000013F9D0000-0x000000013FD24000-memory.dmp	upx
behavioral1/memory/2688-148-0x000000013FF00000-0x0000000140254000-memory.dmp	upx
behavioral1/memory/2488-149-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/memory/2396-150-0x000000013F400000-0x000000013F754000-memory.dmp	upx
behavioral1/memory/2484-151-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/memory/2372-152-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
behavioral1/memory/2492-153-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/memory/2996-154-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/memory/2708-155-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/2704-156-0x000000013F8C0000-0x000000013FC14000-memory.dmp	upx
behavioral1/memory/2612-157-0x000000013F8C0000-0x000000013FC14000-memory.dmp	upx
behavioral1/memory/2028-158-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ugQLMos.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\imrggZj.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eykwBjZ.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yXfNVEw.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dvBcycH.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WzGkizV.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IEfSjTj.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aRCTljF.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zNoyBbp.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sXDSyEK.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dHUfzDw.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\raFUxuo.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lxDvPUA.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pRKSxIQ.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aSqCMMu.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GfZKoxw.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FZXkyni.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\loGapqh.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eEddxtM.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QyUDlkp.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LGkmTiJ.exe	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2980	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	29
PID 1988 wrote to memory of 2980	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	29
PID 1988 wrote to memory of 2980	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	29
PID 1988 wrote to memory of 2192	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	30
PID 1988 wrote to memory of 2192	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	30
PID 1988 wrote to memory of 2192	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	30
PID 1988 wrote to memory of 2604	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	31
PID 1988 wrote to memory of 2604	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	31
PID 1988 wrote to memory of 2604	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	31
PID 1988 wrote to memory of 2688	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	32
PID 1988 wrote to memory of 2688	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	32
PID 1988 wrote to memory of 2688	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	32
PID 1988 wrote to memory of 2488	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	33
PID 1988 wrote to memory of 2488	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	33
PID 1988 wrote to memory of 2488	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	33
PID 1988 wrote to memory of 2396	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	34
PID 1988 wrote to memory of 2396	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	34
PID 1988 wrote to memory of 2396	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	34
PID 1988 wrote to memory of 2484	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	35
PID 1988 wrote to memory of 2484	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	35
PID 1988 wrote to memory of 2484	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	35
PID 1988 wrote to memory of 2372	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	36
PID 1988 wrote to memory of 2372	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	36
PID 1988 wrote to memory of 2372	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	36
PID 1988 wrote to memory of 2492	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	37
PID 1988 wrote to memory of 2492	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	37
PID 1988 wrote to memory of 2492	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	37
PID 1988 wrote to memory of 2996	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	38
PID 1988 wrote to memory of 2996	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	38
PID 1988 wrote to memory of 2996	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	38
PID 1988 wrote to memory of 2708	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	39
PID 1988 wrote to memory of 2708	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	39
PID 1988 wrote to memory of 2708	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	39
PID 1988 wrote to memory of 2704	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	40
PID 1988 wrote to memory of 2704	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	40
PID 1988 wrote to memory of 2704	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	40
PID 1988 wrote to memory of 2612	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	41
PID 1988 wrote to memory of 2612	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	41
PID 1988 wrote to memory of 2612	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	41
PID 1988 wrote to memory of 2028	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	42
PID 1988 wrote to memory of 2028	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	42
PID 1988 wrote to memory of 2028	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	42
PID 1988 wrote to memory of 1600	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	43
PID 1988 wrote to memory of 1600	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	43
PID 1988 wrote to memory of 1600	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	43
PID 1988 wrote to memory of 2280	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	44
PID 1988 wrote to memory of 2280	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	44
PID 1988 wrote to memory of 2280	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	44
PID 1988 wrote to memory of 2304	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	45
PID 1988 wrote to memory of 2304	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	45
PID 1988 wrote to memory of 2304	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	45
PID 1988 wrote to memory of 2292	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	46
PID 1988 wrote to memory of 2292	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	46
PID 1988 wrote to memory of 2292	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	46
PID 1988 wrote to memory of 2276	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	47
PID 1988 wrote to memory of 2276	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	47
PID 1988 wrote to memory of 2276	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	47
PID 1988 wrote to memory of 356	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	48
PID 1988 wrote to memory of 356	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	48
PID 1988 wrote to memory of 356	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	48
PID 1988 wrote to memory of 296	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	49
PID 1988 wrote to memory of 296	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	49
PID 1988 wrote to memory of 296	1988	2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_1a252e38b32954baaaccdf9e4e510db6_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\System\LGkmTiJ.exe
  C:\Windows\System\LGkmTiJ.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\sXDSyEK.exe
  C:\Windows\System\sXDSyEK.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\pRKSxIQ.exe
  C:\Windows\System\pRKSxIQ.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\imrggZj.exe
  C:\Windows\System\imrggZj.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\aSqCMMu.exe
  C:\Windows\System\aSqCMMu.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\GfZKoxw.exe
  C:\Windows\System\GfZKoxw.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\lxDvPUA.exe
  C:\Windows\System\lxDvPUA.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\eykwBjZ.exe
  C:\Windows\System\eykwBjZ.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\FZXkyni.exe
  C:\Windows\System\FZXkyni.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\dHUfzDw.exe
  C:\Windows\System\dHUfzDw.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\raFUxuo.exe
  C:\Windows\System\raFUxuo.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\yXfNVEw.exe
  C:\Windows\System\yXfNVEw.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\ugQLMos.exe
  C:\Windows\System\ugQLMos.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\dvBcycH.exe
  C:\Windows\System\dvBcycH.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\WzGkizV.exe
  C:\Windows\System\WzGkizV.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\IEfSjTj.exe
  C:\Windows\System\IEfSjTj.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\aRCTljF.exe
  C:\Windows\System\aRCTljF.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System\loGapqh.exe
  C:\Windows\System\loGapqh.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\eEddxtM.exe
  C:\Windows\System\eEddxtM.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\QyUDlkp.exe
  C:\Windows\System\QyUDlkp.exe
  2⤵
  - Executes dropped EXE
  PID:356
- C:\Windows\System\zNoyBbp.exe
  C:\Windows\System\zNoyBbp.exe
  2⤵
  - Executes dropped EXE
  PID:296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\FZXkyni.exe

Filesize
5.9MB

MD5
5e384422759649b55af5b58ee8ae4e6b

SHA1
6e12477b15a999a32dc057d6715e6ca4b77083bc

SHA256
3f4113d1f2f439826cedf85faf38b5235a268fca0456a2eaa5289b21c5fba356

SHA512
0d8aa9961ab4aa1f6e05e09446175a2b4667418d63d5b465fa503f329201a3a296128381bfbf2ee924c32adf64c124631861e4d6074a8b50ec995bd473be0e0b

Download Submit
C:\Windows\system\GfZKoxw.exe

Filesize
5.9MB

MD5
95946965b99fd0d83b1dc32d8a1b5781

SHA1
b0cb85544faff1f8b6ccf0c806b75210216b831a

SHA256
fbf40812887681a8f19c42a19b7cdc7d1fab6a4f5209c315e99b0fb8937e85eb

SHA512
c8deffef564f7fc01aa99d0affaea5200ba05a6137cf8dba5baeabb47c49bd687727086f01bf9135395bd8ed0ac3b3b228f4adf1af065b8293f057f495c8cfcc

Download Submit
C:\Windows\system\IEfSjTj.exe

Filesize
5.9MB

MD5
c2259f6792733b697b1c9fc68ea304b9

SHA1
0d90009a0526ca15d54f1fc3554bc4e6cd454ba3

SHA256
69f38efc7751443166fb4845e2e60d85dd80c99866f479d65bcf6848d8d46b00

SHA512
8b2a1556b0d4908bc77d7851b75fc4ddc9e49a154393ee769fa6f3d4c0ddf8543706125eb0182767e4a38910621da4a9d9f9cdf2d94a6c32a485945ad5d35b16

Download Submit
C:\Windows\system\QyUDlkp.exe

Filesize
5.9MB

MD5
f6819869f13f8013ba3be940919813c5

SHA1
21da89cfedb6e7f5093036b9fc24e4e2d6a185a5

SHA256
e06d2d5d6a499985fb453f05c147fcfb84dc0a93e3e9669113cdab213826cfd1

SHA512
ffd8de112c58835dfe3456bb56aa14894cd8e37636b13211f08a241c3133ab25f2afdfa3913fb665480fa907074d1dae9db5ee6a35511b4958e4c7bb0fe90395

Download Submit
C:\Windows\system\WzGkizV.exe

Filesize
5.9MB

MD5
67e73e5117748fe7122f3e053f6ceb69

SHA1
fc53c291bef5ab242c04e21c01fbc9981df1f0db

SHA256
ee92411fb1f6dfca5abe28db31ecee780d934ff5a84b9ed8fc486e504b3c94c0

SHA512
7e38087b6a7caf16e609cc259ade130c98e2e4927701c25e70e3f7b93f5bf38279a502e657a0b54d9660822cadc5018726281d59cd44891722f8f7266fdf7196

Download Submit
C:\Windows\system\aRCTljF.exe

Filesize
5.9MB

MD5
4228d4a38130215c40d7e59c0f1582df

SHA1
f25359a66c0188a863fdcd33451923e3fde697c0

SHA256
82b7c4bc6b27318fc39de6cb2b97f6dad199afa7e04a337b895e765177b30825

SHA512
e5e937819d688128a9f589cd00deb76a8b9cb9479f6cb0d220d0285f3a22e13bfb7e4a0c492cf6ec86c3a63239471e0fb1b825551b3ac8e31d5348116c674c20

Download Submit
C:\Windows\system\dHUfzDw.exe

Filesize
5.9MB

MD5
3d2cf178f17b7a6e2fc2b811d185d4a9

SHA1
8bd1a4508dea425a9347c0b23a4d58d5a10f8232

SHA256
d51d6ab14599776419e1fecc5410b703f00ac3128ff0b26b58f7e82befe47b94

SHA512
2477f928d7c358b48dbd85963b76541ac181488d36d19f90dc38c1c6ea07d39294ab4f76993b2fd4c26395fa0314faa5dce9f960802c59386488165d017e45c8

Download Submit
C:\Windows\system\eEddxtM.exe

Filesize
5.9MB

MD5
796847dbc646e72b9e7eb96f75c76974

SHA1
821fe73b497a75fdd5ab4515fe21a1d0e9e7f732

SHA256
520eae1a4967e4fb5f77a7908fb43790765a5a7b709f183a21a758f5eb09af62

SHA512
f5175fd55599a2d2d78ec6a8e0d64ee7668bc591a9f9e540a8bb1eafe379d3f8a1325f4f2cfb42289a84c15ce47272b0b8dcf5f0fc4e332106fd86f41d399a88

Download Submit
C:\Windows\system\eykwBjZ.exe

Filesize
5.9MB

MD5
7437e4c31fd5b0d39029c5ea8e469dc9

SHA1
ea91b0a200b1cbac81453f548ac7d636158d877a

SHA256
db7f580fd8dc6893fc0802be0924b841a0e57ced6997c2fb8c2c8d5258c7321b

SHA512
87d681d89372c8a1b56e266575af540cd187ff39a3835370f801b812919ddc112851cc8432cd1d90cd41bb8de2dc44e3cf8136999707628f3f49ea3c5745c00d

Download Submit
C:\Windows\system\loGapqh.exe

Filesize
5.9MB

MD5
3e3e9d8e92848c09923d9fc2788891b1

SHA1
5c6bfea91f584a3168f5339c862bae2dc9525103

SHA256
d833d298adcf80169080d7324abc7bf80a4ca96f4697f5e94199045ac63ac631

SHA512
daae2e4fd782e1f18234a36e8bbd536773cac63be452d3a3f12228e5c6823249da745841b64ec53ca010a92f5e45622d1396a5be3d13c715d8c839196a260d95

Download Submit
C:\Windows\system\pRKSxIQ.exe

Filesize
5.9MB

MD5
3c3ee7f9c429484b21e4f907e3609c62

SHA1
d5b5e59b84244d9288965e48372bbc3acf911742

SHA256
e0ccbcfb8fe5580a5a6c15e667448cfe4a7cfb79a383be61e33a7cc578a9c8cd

SHA512
77aee9c7026d3a5ecf93a1fc428352c533216bd0eecde2837dd2a048aec1e3d3c3db7f9f3b09e510be9006d83748cd7ca4f32d69457115a9a98ea7a7deb9fc18

Download Submit
C:\Windows\system\ugQLMos.exe

Filesize
5.9MB

MD5
1b35a0bb000f8f656326f4cc755f0809

SHA1
76572c20743d2acae6b810d319bfdca3e69ba7c6

SHA256
97a2d3cc1dd9460e372da0e84a0bdd53a9b2795c7aa7e89834729d914268b320

SHA512
fdf6948cdcef88568a99a62521b2f174cab0b356a330a5d386f86c188a16c5e8177f6f6c2c7fdb67027db8c4f01a903006e687951931abc5333a4160f576c827

Download Submit
C:\Windows\system\yXfNVEw.exe

Filesize
5.9MB

MD5
2452234a68caa91efbba9b308c47f6fa

SHA1
4940f9115e6bd7fcf1ce3c8bcec216cceb8f6e78

SHA256
306beaeef6d7cdc74e9ba503e9d5113cd768af0d741bafbe77ac8179d6ec76e8

SHA512
f41dca3b3885719682dbdf9b8c93737e869b6174655c397ac0a36135722748549635c1d1c365dd96af65ea1306acf9fdebf83fdb8de389da93ac51f41bf67bdf

Download Submit
\Windows\system\LGkmTiJ.exe

Filesize
5.9MB

MD5
65c8dd757a21f8b0ec92a7a0ea920642

SHA1
ac366a6d77b4eef923e868e4002099ce5da68542

SHA256
f96f0b61ec22e87eda55626137979836b634383b934c1f23a5da14fbd97f4c91

SHA512
515792df37a76c1a952a4edb3735a6d85edd2558b130f94123918149f69e68c3fd7680da061a11cd4b63f7fe76dca9a365cbc226e5a97e15cdb57904f07b3a80

Download Submit
\Windows\system\aSqCMMu.exe

Filesize
5.9MB

MD5
65c86e8672c031194e6271c4ceec0c94

SHA1
31b5f086fad043d7e7cc417b7655503cfe1396e5

SHA256
2dde97fa245b3eb581982b448efc3f7c0f0d6cc72154d11a9bf0dc9b32fcfb4b

SHA512
e5d7c3491e4e8c0a01c19b5e58d99bd358cd25bbb5ab6d30b8fc61cbe7d94395ddb84f4519ed222157b70420f61c9e04e2ddc951c0d1cfaad94f7395e9186a87

Download Submit
\Windows\system\dvBcycH.exe

Filesize
5.9MB

MD5
c4c425a9847203e7b04431aea4d3d00c

SHA1
afec8015d83467c7b6e5ba7da878e5d31d86bfad

SHA256
25c1078529ec7d2fd1d6350686e3037bf0c9ea4b223d77fae7cea67200b6fc7e

SHA512
513cc696b0a7db7c99f34b896b7c291497200426f4c3705fa54f80887de11961b66ed45fd4e99176f2e677a4e37e4e403d2e9d4cbe1645f0145c1bcb2f07d310

Download Submit
\Windows\system\imrggZj.exe

Filesize
5.9MB

MD5
0d348dd50794015aca5244e30d6dd3cf

SHA1
825408b1278486e17942e04735d4d5ffc1dbc08b

SHA256
3b83930bf534777fc073c2adc0a3fddcbe4e96cbfb7f0422f1bf4f4cfc507467

SHA512
79273ab9a40b6834bd6893a5b0531bad56e7831874ee66ae284f2dc61aa8591af937b8827395def06932e2b8e4ff6d7f77b3c836d8153fa1c97d3e060ed51b41

Download Submit
\Windows\system\lxDvPUA.exe

Filesize
5.9MB

MD5
1a71ee3f0cd94db3c29c8fe52d5145f4

SHA1
a745d45ff328c7f2162f40177ebb27a220ed1224

SHA256
9c6f5713f31b4d9fb7abff0c6887b257fc1a5b8264b41f556359c2bb182eb052

SHA512
62c065fffb4d4a18c78107ee08e97455c1da45bafb510f45ffcc2bebd67e7fe3bae92cabff6a190b9d98502a546ce384433f08eabf2ca26fb67989b0628577f1

Download Submit
\Windows\system\raFUxuo.exe

Filesize
5.9MB

MD5
fa325ac460a973ec271b96201eec3c80

SHA1
0931e8f31a3827287f21718ef58bb1b552b842cd

SHA256
13921bf1258803894292c68cc1e6a8aad547f9ffd6e2267249f5e5cebf8e8676

SHA512
95ed6b60527d6bcc25969316185e77e303934edc7247d994d175516618ab4494b3d7b26ef0181a8deeb90f2b1a6f884879fd97fb90b6c7bee3fe38560d3a2df0

Download Submit
\Windows\system\sXDSyEK.exe

Filesize
5.9MB

MD5
120fdbc5e3d6efc87ed8d332c3ef7b9a

SHA1
34d755a043b60741484430561b5534b68619762d

SHA256
9d55d0961971406bf39c25efab2009d4f1490bd328f3f0d5d9cccc56bd4ec0e1

SHA512
bcc36649ee2e2b8341cffe5e1359eab0184e7ff47437825533c118eebb27bd29a05357afe94f9709c80016946a165af8d45bae3485145971dc77b5c4e7b405ce

Download Submit
\Windows\system\zNoyBbp.exe

Filesize
5.9MB

MD5
e87c153a1f3227a0d73b9489b394972a

SHA1
adbc757cc5802b33ce5a916c4fa94ec433d9e7fd

SHA256
46d0ab5cd110095ff6fe2e16a8ff071fd7f16d482ba17a97c63e48b93e3abddd

SHA512
f1da24f287590bcec8a9e341effeee691620df82bcfaaa2857a357e9c0ee512415cf9b816fa3da3d3ad9ebcc2d7a7d1ad3aedfc900f9f00d9bac8dd9fafff389

Download Submit
memory/1988-85-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/1988-2-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/1988-13-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/1988-144-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/1988-122-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/1988-61-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/1988-51-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/1988-69-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1988-141-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/1988-71-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/1988-140-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/1988-137-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/1988-78-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/1988-53-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/1988-0-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1988-41-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/1988-68-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/1988-107-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/1988-10-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1988-100-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/1988-34-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/1988-95-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/2028-99-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-143-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-158-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2192-21-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2192-146-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2372-138-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-152-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-55-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2396-42-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/2396-150-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/2484-151-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-56-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2488-149-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2488-35-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2492-139-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2492-153-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2492-63-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2604-22-0x000000013F9D0000-0x000000013FD24000-memory.dmp

Filesize
3.3MB

Download
memory/2604-147-0x000000013F9D0000-0x000000013FD24000-memory.dmp

Filesize
3.3MB

Download
memory/2612-157-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2612-142-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2612-97-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2688-148-0x000000013FF00000-0x0000000140254000-memory.dmp

Filesize
3.3MB

Download
memory/2688-33-0x000000013FF00000-0x0000000140254000-memory.dmp

Filesize
3.3MB

Download
memory/2704-156-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2704-86-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2708-79-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2708-155-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2980-145-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2980-20-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2996-154-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2996-72-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download