cobaltstrike | 064250b58dc8990048c949e03326d4289a6fa66036eeb42b8f028a9b098b9a65

Analysis

max time kernel
137s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 14:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

2886cecbde358d0d97f44182c8f98d59
SHA1

8509d2a09661406dd6344b1a90f003371df9f0a0
SHA256

064250b58dc8990048c949e03326d4289a6fa66036eeb42b8f028a9b098b9a65
SHA512

6ca4f4fba18610307518f14695cd132595cde76a35d7df295932a9b7c2cd2ab349f8951ba7fa9c3f465aeb154128e5f10a7e51710208a9e1c3c3eb9af3e663ec
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUh:Q+856utgpPF8u/7h

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00090000000143d1-6.dat	cobalt_reflective_dll
behavioral1/files/0x002c00000001450f-11.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014909-20.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014a94-34.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000167db-111.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cd4-92.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d01-103.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ca9-84.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c23-75.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c10-64.dat	cobalt_reflective_dll
behavioral1/files/0x000f00000001466c-57.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016b5e-54.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d11-110.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cf0-101.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ccf-91.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c90-83.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c1a-73.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016b96-61.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014aec-44.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015a98-42.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014a55-28.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x00090000000143d1-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002c00000001450f-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014909-20.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014a94-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000167db-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cd4-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d01-103.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016ca9-84.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c23-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c10-64.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000f00000001466c-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016b5e-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d11-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cf0-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016ccf-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c90-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c1a-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016b96-61.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014aec-44.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015a98-42.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014a55-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 48 IoCs

resource	yara_rule
behavioral1/memory/1612-0-0x000000013F990000-0x000000013FCE4000-memory.dmp	UPX
behavioral1/files/0x00090000000143d1-6.dat	UPX
behavioral1/files/0x002c00000001450f-11.dat	UPX
behavioral1/memory/2112-14-0x000000013FCB0000-0x0000000140004000-memory.dmp	UPX
behavioral1/files/0x0008000000014909-20.dat	UPX
behavioral1/files/0x0009000000014a94-34.dat	UPX
behavioral1/files/0x00060000000167db-111.dat	UPX
behavioral1/files/0x0006000000016cd4-92.dat	UPX
behavioral1/memory/1728-133-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
behavioral1/memory/1524-132-0x000000013F9D0000-0x000000013FD24000-memory.dmp	UPX
behavioral1/files/0x0006000000016d01-103.dat	UPX
behavioral1/files/0x0006000000016ca9-84.dat	UPX
behavioral1/memory/2460-79-0x000000013F0B0000-0x000000013F404000-memory.dmp	UPX
behavioral1/files/0x0006000000016c23-75.dat	UPX
behavioral1/files/0x0006000000016c10-64.dat	UPX
behavioral1/files/0x000f00000001466c-57.dat	UPX
behavioral1/files/0x0006000000016b5e-54.dat	UPX
behavioral1/memory/1612-134-0x000000013F990000-0x000000013FCE4000-memory.dmp	UPX
behavioral1/memory/2104-129-0x000000013F3B0000-0x000000013F704000-memory.dmp	UPX
behavioral1/files/0x0006000000016d11-110.dat	UPX
behavioral1/memory/2560-102-0x000000013FA50000-0x000000013FDA4000-memory.dmp	UPX
behavioral1/files/0x0006000000016cf0-101.dat	UPX
behavioral1/files/0x0006000000016ccf-91.dat	UPX
behavioral1/memory/2672-90-0x000000013FF50000-0x00000001402A4000-memory.dmp	UPX
behavioral1/files/0x0006000000016c90-83.dat	UPX
behavioral1/files/0x0006000000016c1a-73.dat	UPX
behavioral1/memory/2476-71-0x000000013F670000-0x000000013F9C4000-memory.dmp	UPX
behavioral1/files/0x0006000000016b96-61.dat	UPX
behavioral1/memory/2648-29-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
behavioral1/files/0x0009000000014aec-44.dat	UPX
behavioral1/memory/2704-43-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/files/0x0009000000015a98-42.dat	UPX
behavioral1/files/0x0007000000014a55-28.dat	UPX
behavioral1/memory/2084-26-0x000000013F190000-0x000000013F4E4000-memory.dmp	UPX
behavioral1/memory/2700-15-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	UPX
behavioral1/memory/2648-136-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
behavioral1/memory/2112-138-0x000000013FCB0000-0x0000000140004000-memory.dmp	UPX
behavioral1/memory/2700-139-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	UPX
behavioral1/memory/2084-140-0x000000013F190000-0x000000013F4E4000-memory.dmp	UPX
behavioral1/memory/2648-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
behavioral1/memory/2704-142-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/2460-143-0x000000013F0B0000-0x000000013F404000-memory.dmp	UPX
behavioral1/memory/2672-144-0x000000013FF50000-0x00000001402A4000-memory.dmp	UPX
behavioral1/memory/2476-145-0x000000013F670000-0x000000013F9C4000-memory.dmp	UPX
behavioral1/memory/2560-146-0x000000013FA50000-0x000000013FDA4000-memory.dmp	UPX
behavioral1/memory/2104-147-0x000000013F3B0000-0x000000013F704000-memory.dmp	UPX
behavioral1/memory/1728-148-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
behavioral1/memory/1524-149-0x000000013F9D0000-0x000000013FD24000-memory.dmp	UPX

XMRig Miner payload 53 IoCs

miner

resource	yara_rule
behavioral1/memory/1612-0-0x000000013F990000-0x000000013FCE4000-memory.dmp	xmrig
behavioral1/files/0x00090000000143d1-6.dat	xmrig
behavioral1/files/0x002c00000001450f-11.dat	xmrig
behavioral1/memory/2112-14-0x000000013FCB0000-0x0000000140004000-memory.dmp	xmrig
behavioral1/files/0x0008000000014909-20.dat	xmrig
behavioral1/memory/1612-16-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	xmrig
behavioral1/files/0x0009000000014a94-34.dat	xmrig
behavioral1/files/0x00060000000167db-111.dat	xmrig
behavioral1/files/0x0006000000016cd4-92.dat	xmrig
behavioral1/memory/1728-133-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
behavioral1/memory/1524-132-0x000000013F9D0000-0x000000013FD24000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d01-103.dat	xmrig
behavioral1/files/0x0006000000016ca9-84.dat	xmrig
behavioral1/memory/2460-79-0x000000013F0B0000-0x000000013F404000-memory.dmp	xmrig
behavioral1/files/0x0006000000016c23-75.dat	xmrig
behavioral1/files/0x0006000000016c10-64.dat	xmrig
behavioral1/files/0x000f00000001466c-57.dat	xmrig
behavioral1/files/0x0006000000016b5e-54.dat	xmrig
behavioral1/memory/1612-134-0x000000013F990000-0x000000013FCE4000-memory.dmp	xmrig
behavioral1/memory/1612-130-0x0000000002320000-0x0000000002674000-memory.dmp	xmrig
behavioral1/memory/2104-129-0x000000013F3B0000-0x000000013F704000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d11-110.dat	xmrig
behavioral1/memory/1612-108-0x0000000002320000-0x0000000002674000-memory.dmp	xmrig
behavioral1/memory/2560-102-0x000000013FA50000-0x000000013FDA4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016cf0-101.dat	xmrig
behavioral1/memory/1612-100-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016ccf-91.dat	xmrig
behavioral1/memory/2672-90-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016c90-83.dat	xmrig
behavioral1/files/0x0006000000016c1a-73.dat	xmrig
behavioral1/memory/2476-71-0x000000013F670000-0x000000013F9C4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016b96-61.dat	xmrig
behavioral1/memory/2648-29-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/1612-53-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/files/0x0009000000014aec-44.dat	xmrig
behavioral1/memory/2704-43-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/files/0x0009000000015a98-42.dat	xmrig
behavioral1/files/0x0007000000014a55-28.dat	xmrig
behavioral1/memory/2084-26-0x000000013F190000-0x000000013F4E4000-memory.dmp	xmrig
behavioral1/memory/2700-15-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	xmrig
behavioral1/memory/2648-136-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2112-138-0x000000013FCB0000-0x0000000140004000-memory.dmp	xmrig
behavioral1/memory/2700-139-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	xmrig
behavioral1/memory/2084-140-0x000000013F190000-0x000000013F4E4000-memory.dmp	xmrig
behavioral1/memory/2648-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2704-142-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2460-143-0x000000013F0B0000-0x000000013F404000-memory.dmp	xmrig
behavioral1/memory/2672-144-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/memory/2476-145-0x000000013F670000-0x000000013F9C4000-memory.dmp	xmrig
behavioral1/memory/2560-146-0x000000013FA50000-0x000000013FDA4000-memory.dmp	xmrig
behavioral1/memory/2104-147-0x000000013F3B0000-0x000000013F704000-memory.dmp	xmrig
behavioral1/memory/1728-148-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
behavioral1/memory/1524-149-0x000000013F9D0000-0x000000013FD24000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2112	JppBmPX.exe
2700	ofdDvLu.exe
2084	QljIxJY.exe
2648	EDdrkzx.exe
2704	hjRCdfb.exe
2460	wZHboVS.exe
2672	rDDAkPO.exe
2560	uDuYdVn.exe
2476	ljrycvX.exe
2104	dlohxnc.exe
1524	wmWVNUw.exe
1728	urqngLL.exe
2484	jQwZwcj.exe
2816	JFHmINZ.exe
2828	DACHrqu.exe
2428	wAdoAnp.exe
2844	XUjnFdB.exe
1052	hFATzLG.exe
572	lZSBPdZ.exe
836	njhwyQf.exe
2712	eDedkZL.exe

Loads dropped DLL 21 IoCs

pid	Process
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1612-0-0x000000013F990000-0x000000013FCE4000-memory.dmp	upx
behavioral1/files/0x00090000000143d1-6.dat	upx
behavioral1/files/0x002c00000001450f-11.dat	upx
behavioral1/memory/2112-14-0x000000013FCB0000-0x0000000140004000-memory.dmp	upx
behavioral1/files/0x0008000000014909-20.dat	upx
behavioral1/files/0x0009000000014a94-34.dat	upx
behavioral1/files/0x00060000000167db-111.dat	upx
behavioral1/files/0x0006000000016cd4-92.dat	upx
behavioral1/memory/1728-133-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
behavioral1/memory/1524-132-0x000000013F9D0000-0x000000013FD24000-memory.dmp	upx
behavioral1/files/0x0006000000016d01-103.dat	upx
behavioral1/files/0x0006000000016ca9-84.dat	upx
behavioral1/memory/2460-79-0x000000013F0B0000-0x000000013F404000-memory.dmp	upx
behavioral1/files/0x0006000000016c23-75.dat	upx
behavioral1/files/0x0006000000016c10-64.dat	upx
behavioral1/files/0x000f00000001466c-57.dat	upx
behavioral1/files/0x0006000000016b5e-54.dat	upx
behavioral1/memory/1612-134-0x000000013F990000-0x000000013FCE4000-memory.dmp	upx
behavioral1/memory/2104-129-0x000000013F3B0000-0x000000013F704000-memory.dmp	upx
behavioral1/files/0x0006000000016d11-110.dat	upx
behavioral1/memory/2560-102-0x000000013FA50000-0x000000013FDA4000-memory.dmp	upx
behavioral1/files/0x0006000000016cf0-101.dat	upx
behavioral1/files/0x0006000000016ccf-91.dat	upx
behavioral1/memory/2672-90-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/files/0x0006000000016c90-83.dat	upx
behavioral1/files/0x0006000000016c1a-73.dat	upx
behavioral1/memory/2476-71-0x000000013F670000-0x000000013F9C4000-memory.dmp	upx
behavioral1/files/0x0006000000016b96-61.dat	upx
behavioral1/memory/2648-29-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/files/0x0009000000014aec-44.dat	upx
behavioral1/memory/2704-43-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/files/0x0009000000015a98-42.dat	upx
behavioral1/files/0x0007000000014a55-28.dat	upx
behavioral1/memory/2084-26-0x000000013F190000-0x000000013F4E4000-memory.dmp	upx
behavioral1/memory/2700-15-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	upx
behavioral1/memory/2648-136-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/2112-138-0x000000013FCB0000-0x0000000140004000-memory.dmp	upx
behavioral1/memory/2700-139-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	upx
behavioral1/memory/2084-140-0x000000013F190000-0x000000013F4E4000-memory.dmp	upx
behavioral1/memory/2648-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/2704-142-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2460-143-0x000000013F0B0000-0x000000013F404000-memory.dmp	upx
behavioral1/memory/2672-144-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/memory/2476-145-0x000000013F670000-0x000000013F9C4000-memory.dmp	upx
behavioral1/memory/2560-146-0x000000013FA50000-0x000000013FDA4000-memory.dmp	upx
behavioral1/memory/2104-147-0x000000013F3B0000-0x000000013F704000-memory.dmp	upx
behavioral1/memory/1728-148-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
behavioral1/memory/1524-149-0x000000013F9D0000-0x000000013FD24000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ofdDvLu.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wZHboVS.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uDuYdVn.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lZSBPdZ.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jQwZwcj.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wmWVNUw.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\njhwyQf.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JppBmPX.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QljIxJY.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wAdoAnp.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ljrycvX.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XUjnFdB.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hFATzLG.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JFHmINZ.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EDdrkzx.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rDDAkPO.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DACHrqu.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dlohxnc.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\urqngLL.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hjRCdfb.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eDedkZL.exe	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2112	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	29
PID 1612 wrote to memory of 2112	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	29
PID 1612 wrote to memory of 2112	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	29
PID 1612 wrote to memory of 2700	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	30
PID 1612 wrote to memory of 2700	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	30
PID 1612 wrote to memory of 2700	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	30
PID 1612 wrote to memory of 2084	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	31
PID 1612 wrote to memory of 2084	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	31
PID 1612 wrote to memory of 2084	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	31
PID 1612 wrote to memory of 2648	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	32
PID 1612 wrote to memory of 2648	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	32
PID 1612 wrote to memory of 2648	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	32
PID 1612 wrote to memory of 2704	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	33
PID 1612 wrote to memory of 2704	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	33
PID 1612 wrote to memory of 2704	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	33
PID 1612 wrote to memory of 2672	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	34
PID 1612 wrote to memory of 2672	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	34
PID 1612 wrote to memory of 2672	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	34
PID 1612 wrote to memory of 2460	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	35
PID 1612 wrote to memory of 2460	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	35
PID 1612 wrote to memory of 2460	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	35
PID 1612 wrote to memory of 2828	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	36
PID 1612 wrote to memory of 2828	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	36
PID 1612 wrote to memory of 2828	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	36
PID 1612 wrote to memory of 2560	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	37
PID 1612 wrote to memory of 2560	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	37
PID 1612 wrote to memory of 2560	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	37
PID 1612 wrote to memory of 2428	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	38
PID 1612 wrote to memory of 2428	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	38
PID 1612 wrote to memory of 2428	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	38
PID 1612 wrote to memory of 2476	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	39
PID 1612 wrote to memory of 2476	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	39
PID 1612 wrote to memory of 2476	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	39
PID 1612 wrote to memory of 2844	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	40
PID 1612 wrote to memory of 2844	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	40
PID 1612 wrote to memory of 2844	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	40
PID 1612 wrote to memory of 2104	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	41
PID 1612 wrote to memory of 2104	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	41
PID 1612 wrote to memory of 2104	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	41
PID 1612 wrote to memory of 1052	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	42
PID 1612 wrote to memory of 1052	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	42
PID 1612 wrote to memory of 1052	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	42
PID 1612 wrote to memory of 1524	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	43
PID 1612 wrote to memory of 1524	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	43
PID 1612 wrote to memory of 1524	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	43
PID 1612 wrote to memory of 572	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	44
PID 1612 wrote to memory of 572	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	44
PID 1612 wrote to memory of 572	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	44
PID 1612 wrote to memory of 1728	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	45
PID 1612 wrote to memory of 1728	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	45
PID 1612 wrote to memory of 1728	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	45
PID 1612 wrote to memory of 836	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	46
PID 1612 wrote to memory of 836	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	46
PID 1612 wrote to memory of 836	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	46
PID 1612 wrote to memory of 2484	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	47
PID 1612 wrote to memory of 2484	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	47
PID 1612 wrote to memory of 2484	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	47
PID 1612 wrote to memory of 2712	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	48
PID 1612 wrote to memory of 2712	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	48
PID 1612 wrote to memory of 2712	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	48
PID 1612 wrote to memory of 2816	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	49
PID 1612 wrote to memory of 2816	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	49
PID 1612 wrote to memory of 2816	1612	2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_2886cecbde358d0d97f44182c8f98d59_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\System\JppBmPX.exe
  C:\Windows\System\JppBmPX.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System\ofdDvLu.exe
  C:\Windows\System\ofdDvLu.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\QljIxJY.exe
  C:\Windows\System\QljIxJY.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\EDdrkzx.exe
  C:\Windows\System\EDdrkzx.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\hjRCdfb.exe
  C:\Windows\System\hjRCdfb.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\rDDAkPO.exe
  C:\Windows\System\rDDAkPO.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\wZHboVS.exe
  C:\Windows\System\wZHboVS.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\DACHrqu.exe
  C:\Windows\System\DACHrqu.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\uDuYdVn.exe
  C:\Windows\System\uDuYdVn.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\wAdoAnp.exe
  C:\Windows\System\wAdoAnp.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\ljrycvX.exe
  C:\Windows\System\ljrycvX.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System\XUjnFdB.exe
  C:\Windows\System\XUjnFdB.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\dlohxnc.exe
  C:\Windows\System\dlohxnc.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\hFATzLG.exe
  C:\Windows\System\hFATzLG.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\wmWVNUw.exe
  C:\Windows\System\wmWVNUw.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\lZSBPdZ.exe
  C:\Windows\System\lZSBPdZ.exe
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\System\urqngLL.exe
  C:\Windows\System\urqngLL.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\njhwyQf.exe
  C:\Windows\System\njhwyQf.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System\jQwZwcj.exe
  C:\Windows\System\jQwZwcj.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\eDedkZL.exe
  C:\Windows\System\eDedkZL.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\JFHmINZ.exe
  C:\Windows\System\JFHmINZ.exe
  2⤵
  - Executes dropped EXE
  PID:2816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DACHrqu.exe

Filesize
5.9MB

MD5
e354e6a428d57bfbc39abb6554d2a50b

SHA1
92227237f7dda4f861244199d2332f4c2c3d018e

SHA256
34ad7382a06ffef1809b8706ddafeff44533dfaf9bcc53aaf172b42987c30afd

SHA512
1a9ad44099b0e4e6e8e44584b3166d7806a9a501a945e44cc96e5c3b91b7f16d01814b7ec38fab5744cf8f39d57b0ca4987e131e1f2e20cc85313c8bb8168c0c

Download Submit
C:\Windows\system\EDdrkzx.exe

Filesize
5.9MB

MD5
d7defd8c0e3d8f642f3843a1f2c97687

SHA1
11d633bdc6b84ae89fa62b1f5014e199de55e45e

SHA256
509bf8f582a1f312661aa491143cd44b1cb00959c55ae1a15e1239fc3d868067

SHA512
f0e58c008689e51a9fe9af5da921cce953cf7769dd10117b946d2a3c08ab99296879cbb2060f7391d708c8dac1d8892aa241453b669d65e6597a98b851889fa5

Download Submit
C:\Windows\system\JFHmINZ.exe

Filesize
5.9MB

MD5
af9bd413b0a310c92cd507073310cd07

SHA1
73d474653bba32ada725fbc5b671af2fbabd144d

SHA256
d9a65c1f3d603296ab811f007cc659e993e4209d5ee6ecc944f58040744ac25b

SHA512
de0ceffef6b27ef1b886e173b8fe87713dc03337853d3533462c4a955446bf6ad39fe127898ffb1d14f328244ebef1270a61c1b03b9451a192c9b3bde9034791

Download Submit
C:\Windows\system\JppBmPX.exe

Filesize
5.9MB

MD5
cfeca91a686dd4c759c48a07bb9c2cc7

SHA1
b99458eedf5eae6ed228a98a38fd451a0f7803af

SHA256
fef9083bf3461ad74b129646e5d8f7b15b8873edf906c772383527fdbc315fd7

SHA512
61a609a766b546e331f38c183fc6921b146ab1d5178a3b1a36bc809ab0ba8c39d795394ab726cce17291b778876fc880eb687f8d1d2a261aaf44853baa35a2c7

Download Submit
C:\Windows\system\QljIxJY.exe

Filesize
5.9MB

MD5
0f62b949e2f347d1f61629a8fb90ef5a

SHA1
4a6afcf977cfb69b3e9bfdfd60cfdae7cad793fb

SHA256
f5096d96de14faa9b46c4039c3803030b0077fe460accaec53d4ad50ab36fb7b

SHA512
599a39e2d60c13cd7e22aa17dc363018158979a3ab2ae1c852cc7b4f87ac7d00a64f295217ec576893f0102940449d813d220b3453fa915bfd97e593d110b6d1

Download Submit
C:\Windows\system\dlohxnc.exe

Filesize
5.9MB

MD5
981414cc2612a0a325026213cfb076cc

SHA1
cfde520f59e41041b4148e4f2ff45ce0d42d1c62

SHA256
4cd7a6ed02fcb87f40bf4182f6eb5f6fd8b46a038598cfb53fbd9cb57068a0e5

SHA512
7e72e6ab5dbfc2b25c968febdd63da89fa69518e78c6c399716fe06a49542eaebb9f84d4bf547c50897305d8e3a47fe3ee4a6f79258245f043c0afdeeb90f91b

Download Submit
C:\Windows\system\hjRCdfb.exe

Filesize
5.9MB

MD5
2f89b3c6e2d0a8b1863d09ee0d3a9ea5

SHA1
0ee47fb834dcc2db768b58ce207b189efde95991

SHA256
c93f1dae9abb619e821099e5761551edfea854a55bd49323510c43165d225d65

SHA512
abb5a469bfed073d4437a8e094592cf2e001da2a90e2261d9926cc538460b538809368a62895c74f8ecbcf4ef244bc273d59b5a91d304820a75179955f9413cf

Download Submit
C:\Windows\system\jQwZwcj.exe

Filesize
5.9MB

MD5
806a68e4b0808488d2987ddcebd971c3

SHA1
2cc356d190189fcdf2c8ad9e992c17815393c5f4

SHA256
ebeaafe6dc320278d2c277990e0e332b25b66b13f81dd938892e2e7349208ccf

SHA512
ad04b1f089e87a59a103003204fd9b5961066d3b874d6ddf278d25d07c2b61c7e1aa386e12ac7c70ff256340b32198ee50199dc8665809dd3e89f55d5b8fd8b5

Download Submit
C:\Windows\system\ljrycvX.exe

Filesize
5.9MB

MD5
4f4e707e0c87982aea65b5da80ab7c58

SHA1
0fbc3290c9b78d8571870a4813caf503172485d3

SHA256
9b993f20c4be7c64719bf385234f12098cabed079cfa45f741b9921e0189f3cc

SHA512
13ac137791489592ac21b5631a20385c59efbd710387749779103acd5c1b8221f5d17c6c7dc1354aba20d943110c6ffcb7948b70ceeddb30d408c3946544fd7b

Download Submit
C:\Windows\system\ofdDvLu.exe

Filesize
5.9MB

MD5
0c32d6ddc0f41bc29cb1f5cb96376681

SHA1
b1e34caa8ad2a9bf2ca629e7a5d0305d3221a410

SHA256
6e9376b60af3cec23142f0503a0668908cfd5948a0ea6bc50cf0b7c85c4507a6

SHA512
558c877a33adba3952b961c34917bd8068ee578e6290ff87ad4f0301ac73dd1710cc2d2218cf6ebee5d0b4eb17d24595c6bb20ade2a0e98e0ad17cee91a33a48

Download Submit
C:\Windows\system\rDDAkPO.exe

Filesize
5.9MB

MD5
77d9722340e01e1bf167323d3f045f6d

SHA1
4b86f20b2b982249fd217b9e1b5942ef8b3a72ab

SHA256
13f128bab0f6c53353e12f848047a74efc8521e79df981e2f2619610a3922b0e

SHA512
95a913cc44a72a109abce234d15090b87dbfcd43ac0aedaf0608fb938fa647ce40f91c8bdc9df14953f94270e96947008abb4daabd9a40403b1d07bff7198439

Download Submit
C:\Windows\system\uDuYdVn.exe

Filesize
5.9MB

MD5
3f8c7d644276144fb3b1fbe1d2c8558f

SHA1
4aa56fbeb414ad93c9483638e57db54ad0d73b7a

SHA256
4772b298fe0b75f67ec29af0d10952f8cc24fc3cec0cce8995039a592089c154

SHA512
398d81aeda40dbf24b17b152dec3cefc5e9f57c9603f03d3470b2138af2b3688d139a2f47f1bec924b6a26b493594a67aeafa60e7ce8e90060b7b61e745eb231

Download Submit
C:\Windows\system\urqngLL.exe

Filesize
5.9MB

MD5
982fb51a7908ee8bc0d3b2156fee7139

SHA1
af1b6b112d1ac2256c7545d4f850cdf0163bd465

SHA256
c20671658ee2f2d89ad9ac718c8eb9aad20fbf4de8c42a47a2fd350bf37500c8

SHA512
538acf62140ada7eadd69200017bcd8d6a009660f35fc00c9804e2dd4ef22ea18bbdbcaa4ea3632de8aa59034138b9e0349fd8c96aa3cc085f599295eaeabda8

Download Submit
C:\Windows\system\wZHboVS.exe

Filesize
5.9MB

MD5
f1e83cae7b7d216d6cfc9f3f7d243439

SHA1
2c4057100996136e5908e1951a86b099536ab164

SHA256
02bca53227788b23a458fc6dedfff1db1f2cdfe14ee70a278d0275bb92766902

SHA512
e833ed5e3e692eaba3fbaae72ae603e31a6587719ef60ccd0b9bc36bc3b9d60c864bd036f0ef9666c24fdfc00140bd1a013b21663da6e57d379b21d88c611654

Download Submit
C:\Windows\system\wmWVNUw.exe

Filesize
5.9MB

MD5
a0a612a4e5d0c3bb74c4fbf136a704f1

SHA1
19e7cefa5af50d54b6648b589c14f03cc8ca0de8

SHA256
9fbf357916c0ab1484e1295770f21a19bdcec44ebee5f6bbef10201b32c2cfc2

SHA512
ab338982586ad03314110276dca05828578c62ff9fa9a84768081302a3d4db0ce552db10b987a897f1fa19ea0f23e697cd1f0e4f22184bf090f6b187b9ea4d98

Download Submit
\Windows\system\XUjnFdB.exe

Filesize
5.9MB

MD5
eb9e1589e98b3cab32612a4b57c1191a

SHA1
5828b507f4ce5ad30e0b7eb55e9b910bc543a2cf

SHA256
976b70aa92f64263b3175f8c7ad7bbd9d4ce8eecf0be295ea128d24855da2431

SHA512
c5058225b84d33d9fd8f727e6f4dcdbdecb2ef4ff3a5045b7f71712d97d9656ab769582c1b5f6151046b67c8e8ba47d89a8c3dab98476717cffd4f016466024e

Download Submit
\Windows\system\eDedkZL.exe

Filesize
5.9MB

MD5
6f5b92bfc8c658b86288c9bef860cb70

SHA1
98f8dfac408122d51bdbac5b70e414d3f5a31529

SHA256
8051263cb7900184ee9e9d57f9de75082c7bfb2074ead7ab24dc94a8f3c0781d

SHA512
fbefb6de1d84635046e2cd3eadd499c10e142d948a3100d1a07c6a6e6a31980bb426dc9d295a54b7aebfeaf84a1c6d568c924b2bb81a7573056f386e5f30e76b

Download Submit
\Windows\system\hFATzLG.exe

Filesize
5.9MB

MD5
8dffd45739567f39b3fd39080e8ce4ca

SHA1
3b935b01d43462a8fce968c3a257dde1bcf937b1

SHA256
0cc21a9ab5f12101c6406e2168e61d5d7063b1745fe8e3730306d130f41784aa

SHA512
13369971a9025c16771fae83327624ae0f5d1e19ed3d040d10efa50078d4dd3821c4203684ca379ebd21b1ccc5f35133a5bc6861190436adef8981b23dda0420

Download Submit
\Windows\system\lZSBPdZ.exe

Filesize
5.9MB

MD5
917f5fa8b7623781fb3851bdab25d1b6

SHA1
861a8cf939611be875628ca16a83795756c7260f

SHA256
852402f026e49de84d0d29ea35b163a0e0103b95543bbcdd8eadee28f2acb3ac

SHA512
24386972bafe4871260fb8a9be731902edb9fdb94290d90dd9ac767c2a3e277809941773af7f81d19687aefd1fd5804ef64e3bfc5913efb860cced027fe7abd7

Download Submit
\Windows\system\njhwyQf.exe

Filesize
5.9MB

MD5
3f2dbba5a891fddeed9b508acd5f2076

SHA1
9c87d25a89fd1d03f858be76185849b7a19fcc50

SHA256
0cf357fd35e36cf7947d5183941c097be61ddce1d911872b41ca0cdf49ef7de2

SHA512
8c27ee5cfb84a443f3e46b8399ffa1499cdc5d9bbf5db0ffc3b68311f7b206e97372bec69bc051bcd94128d98171a498d69c53b4bf5f2bc60bffb6cf244c9f86

Download Submit
\Windows\system\wAdoAnp.exe

Filesize
5.9MB

MD5
8c208678ae43a6a9fb5261ec0049d7ac

SHA1
e5650c9d22fef801486722b2b9aaadd2a0acd085

SHA256
a71249408fcafb894a352002a9197bb1f99eea756574e714ebdc1b8522f06c92

SHA512
29b9cee10821152adc3216436924adb9dd5858acd378a3c3be3c6d3904dc605106323144dcee273cf4b4eb4b229cb57a01ca11c86d834264cda2c4b4a3307dd8

Download Submit
memory/1524-132-0x000000013F9D0000-0x000000013FD24000-memory.dmp

Filesize
3.3MB

Download
memory/1524-149-0x000000013F9D0000-0x000000013FD24000-memory.dmp

Filesize
3.3MB

Download
memory/1612-76-0x000000013F0B0000-0x000000013F404000-memory.dmp

Filesize
3.3MB

Download
memory/1612-53-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1612-128-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-127-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1612-126-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1612-135-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1612-131-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1612-108-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1612-137-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-134-0x000000013F990000-0x000000013FCE4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-100-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-0-0x000000013F990000-0x000000013FCE4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-27-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1612-12-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1612-16-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-72-0x000000013F3B0000-0x000000013F704000-memory.dmp

Filesize
3.3MB

Download
memory/1612-130-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1612-63-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1612-25-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/1728-133-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1728-148-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/2084-140-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2084-26-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-129-0x000000013F3B0000-0x000000013F704000-memory.dmp

Filesize
3.3MB

Download
memory/2104-147-0x000000013F3B0000-0x000000013F704000-memory.dmp

Filesize
3.3MB

Download
memory/2112-14-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/2112-138-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/2460-79-0x000000013F0B0000-0x000000013F404000-memory.dmp

Filesize
3.3MB

Download
memory/2460-143-0x000000013F0B0000-0x000000013F404000-memory.dmp

Filesize
3.3MB

Download
memory/2476-71-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2476-145-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2560-102-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/2560-146-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-29-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-136-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2672-144-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/2672-90-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/2700-139-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/2700-15-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/2704-142-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2704-43-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download