cobaltstrike | 6b2b9dab2fa1bc859681c0693d07525ccdc7bed7af848730c4e72b1d7fd06979

Analysis

max time kernel
137s
max time network
147s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 10:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
Size

8.3MB
MD5

74ba46c6e38e987c225e446df110cd23
SHA1

2c2b6bd598c096d157cb4f3ef2167c8c1efd0ae7
SHA256

6b2b9dab2fa1bc859681c0693d07525ccdc7bed7af848730c4e72b1d7fd06979
SHA512

61171c2a95b6bf24f3857c4b47bb64f192114f591403dcb7b865ef28493501b7575b2772be0c9097def516e4526349fcae026ab7f55fa705dbee08cfb3ceed79
SSDEEP

98304:MemTLkNdfE0pZb756utgpPFotBER/mQ32lUI:v+O56utgpPF8u/7I

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d00000001416a-3.dat	cobalt_reflective_dll
behavioral1/files/0x0033000000015cb0-10.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015cf5-15.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d24-25.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d4c-63.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c8c-65.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cf5-77.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ce4-71.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cb2-62.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cfd-87.dat	cobalt_reflective_dll
behavioral1/files/0x0033000000015cbd-91.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d0c-28.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016c42-45.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d44-37.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d05-97.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d1f-115.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d36-125.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3a-128.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d32-120.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d16-110.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d0e-105.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001416a-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0033000000015cb0-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015cf5-15.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d24-25.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d4c-63.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c8c-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cf5-77.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016ce4-71.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cb2-62.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cfd-87.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0033000000015cbd-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d0c-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000016c42-45.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d44-37.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d05-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d1f-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d36-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d3a-128.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d32-120.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d16-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d0e-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 53 IoCs

resource	yara_rule
behavioral1/memory/2800-0-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/files/0x000d00000001416a-3.dat	UPX
behavioral1/memory/2072-9-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/files/0x0033000000015cb0-10.dat	UPX
behavioral1/files/0x0008000000015cf5-15.dat	UPX
behavioral1/files/0x0007000000015d24-25.dat	UPX
behavioral1/memory/3060-19-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2752-46-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2008-31-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/files/0x0007000000015d4c-63.dat	UPX
behavioral1/files/0x0006000000016c8c-65.dat	UPX
behavioral1/memory/2800-69-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2360-56-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2504-54-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2528-70-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2676-66-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/files/0x0006000000016cf5-77.dat	UPX
behavioral1/memory/1804-82-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/files/0x0006000000016ce4-71.dat	UPX
behavioral1/files/0x0006000000016cb2-62.dat	UPX
behavioral1/files/0x0006000000016cfd-87.dat	UPX
behavioral1/memory/2752-92-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/files/0x0033000000015cbd-91.dat	UPX
behavioral1/files/0x0007000000015d0c-28.dat	UPX
behavioral1/files/0x0009000000016c42-45.dat	UPX
behavioral1/memory/2620-38-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/files/0x0007000000015d44-37.dat	UPX
behavioral1/files/0x0006000000016d05-97.dat	UPX
behavioral1/files/0x0006000000016d1f-115.dat	UPX
behavioral1/files/0x0006000000016d36-125.dat	UPX
behavioral1/files/0x0006000000016d3a-128.dat	UPX
behavioral1/files/0x0006000000016d32-120.dat	UPX
behavioral1/files/0x0006000000016d16-110.dat	UPX
behavioral1/files/0x0006000000016d0e-105.dat	UPX
behavioral1/memory/2444-132-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2676-133-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/3040-135-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/1436-136-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/1960-137-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2072-138-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/3060-139-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2008-140-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2620-141-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2360-142-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2504-143-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2752-144-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2676-145-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2528-146-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2444-147-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/1804-148-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/3040-149-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/1960-150-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/1436-151-0x0000000140000000-0x0000000140352000-memory.dmp	UPX

XMRig Miner payload 56 IoCs

miner

resource	yara_rule
behavioral1/memory/2800-0-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/files/0x000d00000001416a-3.dat	xmrig
behavioral1/memory/2072-9-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/files/0x0033000000015cb0-10.dat	xmrig
behavioral1/files/0x0008000000015cf5-15.dat	xmrig
behavioral1/files/0x0007000000015d24-25.dat	xmrig
behavioral1/memory/3060-19-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2752-46-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2008-31-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d4c-63.dat	xmrig
behavioral1/files/0x0006000000016c8c-65.dat	xmrig
behavioral1/memory/2800-69-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2800-57-0x0000000002560000-0x00000000028B2000-memory.dmp	xmrig
behavioral1/memory/2360-56-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2504-54-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2528-70-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2676-66-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/files/0x0006000000016cf5-77.dat	xmrig
behavioral1/memory/1804-82-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/files/0x0006000000016ce4-71.dat	xmrig
behavioral1/files/0x0006000000016cb2-62.dat	xmrig
behavioral1/files/0x0006000000016cfd-87.dat	xmrig
behavioral1/memory/2752-92-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/files/0x0033000000015cbd-91.dat	xmrig
behavioral1/memory/2800-93-0x0000000002560000-0x00000000028B2000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d0c-28.dat	xmrig
behavioral1/files/0x0009000000016c42-45.dat	xmrig
behavioral1/memory/2620-38-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d44-37.dat	xmrig
behavioral1/files/0x0006000000016d05-97.dat	xmrig
behavioral1/memory/2800-102-0x0000000002560000-0x00000000028B2000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d1f-115.dat	xmrig
behavioral1/files/0x0006000000016d36-125.dat	xmrig
behavioral1/files/0x0006000000016d3a-128.dat	xmrig
behavioral1/files/0x0006000000016d32-120.dat	xmrig
behavioral1/files/0x0006000000016d16-110.dat	xmrig
behavioral1/files/0x0006000000016d0e-105.dat	xmrig
behavioral1/memory/2444-132-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2676-133-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/3040-135-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/1436-136-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/1960-137-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2072-138-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/3060-139-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2008-140-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2620-141-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2360-142-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2504-143-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2752-144-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2676-145-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2528-146-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2444-147-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/1804-148-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/3040-149-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/1960-150-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/1436-151-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2072	pFYgOrc.exe
3060	FQmaAsV.exe
2008	CHlZoHf.exe
2620	MAjJPzH.exe
2752	hRQQgGO.exe
2360	UHbINPl.exe
2504	khsmIWU.exe
2444	dnDmQdZ.exe
2676	hDahFoi.exe
2528	FtNcWQZ.exe
3040	tmmOfUo.exe
1804	RnylFGY.exe
1436	LDyGmdm.exe
1960	TljGzFX.exe
2368	DBLUJmZ.exe
1816	SyUvRVU.exe
2376	fBPaiBS.exe
376	gIYqxGd.exe
1828	cipSYBD.exe
1676	vHSLksv.exe
2348	iOlbfMK.exe

Loads dropped DLL 21 IoCs

pid	Process
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2800-0-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/files/0x000d00000001416a-3.dat	upx
behavioral1/memory/2072-9-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/files/0x0033000000015cb0-10.dat	upx
behavioral1/files/0x0008000000015cf5-15.dat	upx
behavioral1/files/0x0007000000015d24-25.dat	upx
behavioral1/memory/3060-19-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2752-46-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2008-31-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/files/0x0007000000015d4c-63.dat	upx
behavioral1/files/0x0006000000016c8c-65.dat	upx
behavioral1/memory/2800-69-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2360-56-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2504-54-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2528-70-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2676-66-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/files/0x0006000000016cf5-77.dat	upx
behavioral1/memory/1804-82-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/files/0x0006000000016ce4-71.dat	upx
behavioral1/files/0x0006000000016cb2-62.dat	upx
behavioral1/files/0x0006000000016cfd-87.dat	upx
behavioral1/memory/2752-92-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/files/0x0033000000015cbd-91.dat	upx
behavioral1/files/0x0007000000015d0c-28.dat	upx
behavioral1/files/0x0009000000016c42-45.dat	upx
behavioral1/memory/2620-38-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/files/0x0007000000015d44-37.dat	upx
behavioral1/files/0x0006000000016d05-97.dat	upx
behavioral1/files/0x0006000000016d1f-115.dat	upx
behavioral1/files/0x0006000000016d36-125.dat	upx
behavioral1/files/0x0006000000016d3a-128.dat	upx
behavioral1/files/0x0006000000016d32-120.dat	upx
behavioral1/files/0x0006000000016d16-110.dat	upx
behavioral1/files/0x0006000000016d0e-105.dat	upx
behavioral1/memory/2444-132-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2676-133-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/3040-135-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/1436-136-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/1960-137-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2072-138-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/3060-139-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2008-140-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2620-141-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2360-142-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2504-143-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2752-144-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2676-145-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2528-146-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2444-147-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/1804-148-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/3040-149-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/1960-150-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/1436-151-0x0000000140000000-0x0000000140352000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\FQmaAsV.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vHSLksv.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dnDmQdZ.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RnylFGY.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SyUvRVU.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fBPaiBS.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gIYqxGd.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MAjJPzH.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hRQQgGO.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hDahFoi.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cipSYBD.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tmmOfUo.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iOlbfMK.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CHlZoHf.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\khsmIWU.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FtNcWQZ.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TljGzFX.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DBLUJmZ.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pFYgOrc.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UHbINPl.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LDyGmdm.exe	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2072	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	29
PID 2800 wrote to memory of 2072	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	29
PID 2800 wrote to memory of 2072	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	29
PID 2800 wrote to memory of 3060	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	30
PID 2800 wrote to memory of 3060	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	30
PID 2800 wrote to memory of 3060	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	30
PID 2800 wrote to memory of 2008	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	31
PID 2800 wrote to memory of 2008	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	31
PID 2800 wrote to memory of 2008	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	31
PID 2800 wrote to memory of 2620	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	32
PID 2800 wrote to memory of 2620	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	32
PID 2800 wrote to memory of 2620	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	32
PID 2800 wrote to memory of 2752	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	33
PID 2800 wrote to memory of 2752	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	33
PID 2800 wrote to memory of 2752	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	33
PID 2800 wrote to memory of 2360	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	34
PID 2800 wrote to memory of 2360	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	34
PID 2800 wrote to memory of 2360	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	34
PID 2800 wrote to memory of 2676	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	35
PID 2800 wrote to memory of 2676	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	35
PID 2800 wrote to memory of 2676	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	35
PID 2800 wrote to memory of 2504	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	36
PID 2800 wrote to memory of 2504	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	36
PID 2800 wrote to memory of 2504	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	36
PID 2800 wrote to memory of 2528	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	37
PID 2800 wrote to memory of 2528	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	37
PID 2800 wrote to memory of 2528	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	37
PID 2800 wrote to memory of 2444	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	38
PID 2800 wrote to memory of 2444	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	38
PID 2800 wrote to memory of 2444	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	38
PID 2800 wrote to memory of 3040	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	39
PID 2800 wrote to memory of 3040	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	39
PID 2800 wrote to memory of 3040	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	39
PID 2800 wrote to memory of 1804	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	40
PID 2800 wrote to memory of 1804	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	40
PID 2800 wrote to memory of 1804	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	40
PID 2800 wrote to memory of 1436	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	41
PID 2800 wrote to memory of 1436	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	41
PID 2800 wrote to memory of 1436	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	41
PID 2800 wrote to memory of 1960	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	42
PID 2800 wrote to memory of 1960	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	42
PID 2800 wrote to memory of 1960	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	42
PID 2800 wrote to memory of 2368	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	43
PID 2800 wrote to memory of 2368	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	43
PID 2800 wrote to memory of 2368	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	43
PID 2800 wrote to memory of 1816	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	44
PID 2800 wrote to memory of 1816	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	44
PID 2800 wrote to memory of 1816	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	44
PID 2800 wrote to memory of 2376	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	45
PID 2800 wrote to memory of 2376	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	45
PID 2800 wrote to memory of 2376	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	45
PID 2800 wrote to memory of 376	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	46
PID 2800 wrote to memory of 376	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	46
PID 2800 wrote to memory of 376	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	46
PID 2800 wrote to memory of 1828	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	47
PID 2800 wrote to memory of 1828	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	47
PID 2800 wrote to memory of 1828	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	47
PID 2800 wrote to memory of 1676	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	48
PID 2800 wrote to memory of 1676	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	48
PID 2800 wrote to memory of 1676	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	48
PID 2800 wrote to memory of 2348	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	49
PID 2800 wrote to memory of 2348	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	49
PID 2800 wrote to memory of 2348	2800	2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_74ba46c6e38e987c225e446df110cd23_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\System\pFYgOrc.exe
  C:\Windows\System\pFYgOrc.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\FQmaAsV.exe
  C:\Windows\System\FQmaAsV.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\CHlZoHf.exe
  C:\Windows\System\CHlZoHf.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\MAjJPzH.exe
  C:\Windows\System\MAjJPzH.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\hRQQgGO.exe
  C:\Windows\System\hRQQgGO.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\UHbINPl.exe
  C:\Windows\System\UHbINPl.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\hDahFoi.exe
  C:\Windows\System\hDahFoi.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\khsmIWU.exe
  C:\Windows\System\khsmIWU.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\FtNcWQZ.exe
  C:\Windows\System\FtNcWQZ.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\dnDmQdZ.exe
  C:\Windows\System\dnDmQdZ.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\tmmOfUo.exe
  C:\Windows\System\tmmOfUo.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\RnylFGY.exe
  C:\Windows\System\RnylFGY.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\LDyGmdm.exe
  C:\Windows\System\LDyGmdm.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\TljGzFX.exe
  C:\Windows\System\TljGzFX.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\DBLUJmZ.exe
  C:\Windows\System\DBLUJmZ.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\SyUvRVU.exe
  C:\Windows\System\SyUvRVU.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\fBPaiBS.exe
  C:\Windows\System\fBPaiBS.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\gIYqxGd.exe
  C:\Windows\System\gIYqxGd.exe
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\System\cipSYBD.exe
  C:\Windows\System\cipSYBD.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\vHSLksv.exe
  C:\Windows\System\vHSLksv.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\iOlbfMK.exe
  C:\Windows\System\iOlbfMK.exe
  2⤵
  - Executes dropped EXE
  PID:2348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DBLUJmZ.exe

Filesize
8.3MB

MD5
cabf8660494f71110d2e72790495fb1f

SHA1
b4af2134a4aaa03e075b131ddf6d78c01131f17a

SHA256
cb1065c1ae368551431da52c2d495b9491fe02314ee395ce5742804473ada3b6

SHA512
572c5c26ef4ef6f79f6f18907b5fa04368fbe84b5dc7865de2ae6ba877bc92532cb3400499ab742ab1e39cf6938ee7c67bb0982da0e5e782f73a9aa77263e51f

Download Submit
C:\Windows\system\FtNcWQZ.exe

Filesize
8.3MB

MD5
a19b734b384b6fc5c6ee24b47c2358c5

SHA1
ca1db02a7da4673e783b0b98dbbb86a91b3613de

SHA256
9c077d0b04ea26622ee85ca9dda7fc3f1563264a2796dec1201f2de0481b395a

SHA512
3273e3c6a4dea8d35b56882e3c82cba27b580b34bfa0b328cd4b060eaef3ef130575a5d1728f8768f9388e320448f6ed3b1b125dd3fefe4684a6dcbdf4dbd305

Download Submit
C:\Windows\system\LDyGmdm.exe

Filesize
8.3MB

MD5
c58adb43ba3c2c51a007ca0a1547b6f2

SHA1
2fc5564ef3a13a20f287c3916c620430e4d33906

SHA256
bb1e91b22035972ec32a15a2ebcb9905063306285ea9f222affc19bedbd8f882

SHA512
9509724a60bbe7ab9e2c27314be12c19b7777aee33dd78d229ff9687ed6e4a2f684d261cc07bfb2848bd7c35eeda099edd609352e734aee1a6c6e8cd58b2587b

Download Submit
C:\Windows\system\MAjJPzH.exe

Filesize
8.3MB

MD5
70983ab4361efa907aef95b50294af0c

SHA1
ed7f282ddc56e609e7e20ef347837014fe0b782e

SHA256
f315d86178867ae08bbf864063c0e39f78eda5cd39e988f88d22afd8b17a7648

SHA512
40e20560980657f7b85a05f89a8104f3bdac8318e1568880958fd0136838d7fa664addb393a7087cd7752287607512f1678496171db0696d0a9af0df665883ce

Download Submit
C:\Windows\system\RnylFGY.exe

Filesize
8.3MB

MD5
fbb1a4cd25a9f68dde2f3affbe1ca154

SHA1
34b606e12fa2e836160ce9a9f12fa1b3afd048be

SHA256
fc024d5e128fe2e17815cf09a36186a8b349cb097f056ff6425319e81e8ade5e

SHA512
3391dd263c57257f3f1c32f9811852e236b8f9636bf3a5d2e48dce4c923147c4c8d2b16570dffb861721bded76ab015dd79fe05011d7c4be4ae9d2808197e0ae

Download Submit
C:\Windows\system\SyUvRVU.exe

Filesize
8.3MB

MD5
2d323face91c0547e2428401f318fc0b

SHA1
3fe93510a67b1dc1efb913554376df3c29c99d0d

SHA256
53a450a17576df206be73c93fbaae30e16dfe283f3b5553055986b4e4052e245

SHA512
b60bee968e886d026395d8b7b91174ce9fcf25d83d365b35a1431723935876bbf6056e38653fbe052c3ea000b7efd2829b658c920684c15b065d483be99aaa8a

Download Submit
C:\Windows\system\TljGzFX.exe

Filesize
8.3MB

MD5
96a6c11792eb094c3c8e0a0b37e67336

SHA1
f5d407267821501d649ea009c4874262380787e4

SHA256
d4fe4201a6663991ce39f85e6d31d64418b6b109b32226c5bfb801ff27a5d005

SHA512
d7a09cd2225d69d513293c2ec50d85c63a09173c23b92d80e9bcf8263d0ce22e9a7191f06b4eba4176f48cef80de768f32de90c919bd37c692ff02d08427015a

Download Submit
C:\Windows\system\UHbINPl.exe

Filesize
8.3MB

MD5
7db3df8b7f551cb71096647fe2248e6c

SHA1
600b207bdc3c9f4e059acbfd08d747dbcc1eeeb9

SHA256
173189d6f325db11e60cf8def47082cf69c52d53b4ca688569eb5ccbd532dc51

SHA512
0aeb0ef16f6d1bbf4073266f200f51b3e8745dba6b2a42bf96c259fa63a0e733e4200db2b0701dda5df654016189cf44166b8c33a7eca9cfdbd6770a0611c4d5

Download Submit
C:\Windows\system\cipSYBD.exe

Filesize
8.3MB

MD5
561b8b926f03d20d125dbf539ee50652

SHA1
95b1dc40b4b2b863508109d79b4dc495e1aa6544

SHA256
6da6cbedf67eafe4b9149a543100b0f16647ce5716b210d71dda2f2044bc84fa

SHA512
38cbd0f8603f556cd6bf05d004dfa43462d4ce4cfd62584143d2ccbd64331810d6fbedfb8e102bf108bfb14e62ec839d6f27b23d4f08ad6a53fe5e3b42a9523a

Download Submit
C:\Windows\system\dnDmQdZ.exe

Filesize
8.3MB

MD5
9f84138e4e434bd0c2389f566700ab8f

SHA1
e9e8af2b3364d5226908ad8022852eb3332e83b6

SHA256
f459be7878061ce07c29d70f44d9e2f3a74bc826947f12122bf211bd943135e6

SHA512
2303965bdc0ae4d34f7c12854fd6fdb6430f2503e147f762b6c5d81be53d7046c0835c56979fe0796033dfbf5bdd9f457cd2ccf5cd3c542c15c38bedeae693a1

Download Submit
C:\Windows\system\fBPaiBS.exe

Filesize
8.3MB

MD5
cd8a178720d440b6e01708998fe9c9d3

SHA1
6f8043c66278f3557833e77a42b102bfdafdfb7a

SHA256
156d6d447c40f252d76cb00ad8f5f02a96189ba6b707188a546138499d4129cd

SHA512
e77cdade3b81b21cee9645bbcc4331d050e2391cb65d86dcefaa2607478ea3d2053ebb2a7d72452854bd2f0324a5007803f067962792f1f22b1e126811b3ac17

Download Submit
C:\Windows\system\gIYqxGd.exe

Filesize
8.3MB

MD5
19410f6fed1e30606ab90561968fd8b7

SHA1
8832836ceff15ac457462486280ec99ece17312d

SHA256
67547ef6e2552a7825fc730985d05a56055f7cf7f5212d9c039ab7be9cf7597f

SHA512
8328cc28eda2b0c9d0c265d4a9743152296bc779d197a102cae3c37b78c737cfbf7c49a238544139cd63baab90936a1fe9a3c575d03db4ac2848e08066687012

Download Submit
C:\Windows\system\hDahFoi.exe

Filesize
8.3MB

MD5
37bc7a99fae57a6f448a2759dd6d85f3

SHA1
7ba33830a61c906cc4411c7bc6787d1429f077b3

SHA256
2be01cc0c94dc302666c8293cff9db7eb1db14b1a6e4e15526a39ab07ad4b141

SHA512
17c160c3a2d3b7ff15d1dd29ecbf5e52d51cc955a5e56bc63aabc7172eac6c0a07a5108d56d10e0432519a9dd9e946088078a64076192d1cffa93f87f6f4dccf

Download Submit
C:\Windows\system\khsmIWU.exe

Filesize
8.3MB

MD5
706dcc8804861642725c45590123d90e

SHA1
0ebb75a6261c0b53088395094e1f084050d32bb8

SHA256
87a3883eb76fa0e71c97735b9c159d3d4fd8235fe9ce0cb7644bdf229af4385c

SHA512
b94e7087c8098f28090514d4b4f589211c40584e6b2cabb630c0f129dfeda8eed565aafb5162c5e37fc49388f3bf4dacb46cea286405643694b1a2d9c873bae6

Download Submit
C:\Windows\system\vHSLksv.exe

Filesize
8.3MB

MD5
20521e3b4d8f6c26d1856176ee5f8fe5

SHA1
b9f249112be563383363bbf498ba9073b2b286ad

SHA256
d8183d890ee3d73e1ce75596dca9e6ee40dbc68ee31006cab74b2f184cd83bff

SHA512
c740ed2f4a3119fc68eb879852daebbbf24f865cbdaca75d6bac9a6bb938083673de7ef6be2a44ba5aa752c531fde4610d3bc851e06e0c25c4a830322680d3ba

Download Submit
\Windows\system\CHlZoHf.exe

Filesize
8.3MB

MD5
64259839b339fd1f0f329f343a360af9

SHA1
2dbb05642576034cd74557e1a9b6907c5f34b0e7

SHA256
cc942821a56d4573bbc1b8e43ef4bc523546d7355b6db2b40106deaae846a07f

SHA512
47ba161fa785050f0104635326a4d8de73f9192d447392e987e417113cd2144e8ffafc345e49e959e7c115b1449133d486a7f33657b6deca9d9d97bc298ca69d

Download Submit
\Windows\system\FQmaAsV.exe

Filesize
8.3MB

MD5
d7b5719ab6a7a45c230ba760732fa597

SHA1
c88536c9d34c9ed70b6069d0a068920fe00e77d3

SHA256
d68be608e2b2e333ab389b649eef9b8c2785b0ee645d1db93b2a06f11f78a01c

SHA512
8ff3534cbf461a97865935a52f56aa7eea73c86c21556d824e32ed4a752767be65ca3dd42ffbba229ed9c079325cc4310d6849a8e9e90e2cd11f75b278a6d021

Download Submit
\Windows\system\hRQQgGO.exe

Filesize
8.3MB

MD5
83bc90e22f0415eddcd80b3248370cb2

SHA1
12e5d3b12ef0b275a8965e6a82bd4ba3e2abf103

SHA256
1d99e6c2a5395d51c0a012b90dd4f23aad3e8b26f4b8da8770f7cd6b2edc6bdc

SHA512
492ce9a0bab8da23b8d2f7ce56911594102698a4ff9c641a76b222813a7adf9539c2d9071912610ff00d5f401bff0bab67bcea9eb1ac6fee7b93021e2daad29a

Download Submit
\Windows\system\iOlbfMK.exe

Filesize
8.3MB

MD5
843edb2275d4ff0c96148ffc3bb0bac1

SHA1
26fdcdc7961f152f0b8267f2f37f10385aef9b84

SHA256
dec8d3414b572443c088b0cccea2cc8b4c48d49d2a65d3d59addec2b374c19aa

SHA512
bec24f2cd7258fd6c4fc5a51b16da87521a88a6c29f81caee90eb31a50840c3a4fd7f83a9c78a4e8e05b22defcd8002a1bdae1a802b21f567eae473d71a27d45

Download Submit
\Windows\system\pFYgOrc.exe

Filesize
8.3MB

MD5
2fd80effd3994ce7d630226059e4bd33

SHA1
e0aa80af05d7ac59bd97f0211440f792d69fc557

SHA256
0e63d12275edec3c9df9c44f700d1c0d5cfd06602c4b3a7b3e4a6b38d930c12a

SHA512
97ab2fa54e5b511f4b5855c5e107f6b807e32a68f20070a3f2043cc0e9637d0ef4c41e67c6524af226036938ef39d6af2a5249ac54b4986441f3f55bc78aa393

Download Submit
\Windows\system\tmmOfUo.exe

Filesize
8.3MB

MD5
1dce06de4af599d0691e5c5829d5e284

SHA1
85bd0eed082442bfaea8f0473a64bc341a7ae1d7

SHA256
40f45d3bad0ba5b3100b5b4b7fc520ad7ffcc0afc47377d2c0140ebd84f0582a

SHA512
9ed96a0d80f731d499a937df02796ab5ef6228148362cb5d25abe24a874acab8cddccc5e6fdaf9301ff66efc1bc7731d96b1eef851c5be2e70006a31c02b2f0f

Download Submit
memory/1436-136-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/1436-151-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/1804-82-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/1804-148-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/1960-137-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/1960-150-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2008-140-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2008-31-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2072-9-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2072-138-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2360-142-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2360-56-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2444-147-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2444-132-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2504-54-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2504-143-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2528-70-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2528-146-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2620-38-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2620-141-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2676-133-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2676-66-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2676-145-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2752-92-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2752-144-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2752-46-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2800-60-0x0000000002560000-0x00000000028B2000-memory.dmp

Filesize
3.3MB

Download
memory/2800-78-0x0000000002560000-0x00000000028B2000-memory.dmp

Filesize
3.3MB

Download
memory/2800-35-0x0000000002560000-0x00000000028B2000-memory.dmp

Filesize
3.3MB

Download
memory/2800-1-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2800-134-0x0000000002560000-0x00000000028B2000-memory.dmp

Filesize
3.3MB

Download
memory/2800-29-0x0000000002560000-0x00000000028B2000-memory.dmp

Filesize
3.3MB

Download
memory/2800-0-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2800-93-0x0000000002560000-0x00000000028B2000-memory.dmp

Filesize
3.3MB

Download
memory/2800-7-0x0000000002560000-0x00000000028B2000-memory.dmp

Filesize
3.3MB

Download
memory/2800-88-0x0000000002560000-0x00000000028B2000-memory.dmp

Filesize
3.3MB

Download
memory/2800-81-0x0000000002560000-0x00000000028B2000-memory.dmp

Filesize
3.3MB

Download
memory/2800-102-0x0000000002560000-0x00000000028B2000-memory.dmp

Filesize
3.3MB

Download
memory/2800-52-0x0000000002560000-0x00000000028B2000-memory.dmp

Filesize
3.3MB

Download
memory/2800-57-0x0000000002560000-0x00000000028B2000-memory.dmp

Filesize
3.3MB

Download
memory/2800-69-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2800-47-0x0000000002560000-0x00000000028B2000-memory.dmp

Filesize
3.3MB

Download
memory/2800-24-0x0000000002560000-0x00000000028B2000-memory.dmp

Filesize
3.3MB

Download
memory/3040-149-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/3040-135-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/3060-19-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/3060-139-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download