cobaltstrike | 726914d628598886304ef351405730241e562ed8585971a69f30e528570d2f98

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

ed398ae47512513b1039c6c730bbfee4
SHA1

6b86937c67b8ada7f5ad93d6c6e34bc46438e7a6
SHA256

726914d628598886304ef351405730241e562ed8585971a69f30e528570d2f98
SHA512

f98502bbacbaf685ec05d2abfdaeed198fc6af82111374da4f41377e8053f2e4c247a7fdd67166322627c325bd3d2ae52e7a116c24bec62b6c4320d8f53be487
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lM:RWWBibf56utgpPFotBER/mQ32lUI

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000012272-3.dat	cobalt_reflective_dll
behavioral1/files/0x002d000000014508-11.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000145c7-10.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000146cd-26.dat	cobalt_reflective_dll
behavioral1/files/0x002d000000014514-32.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014733-34.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001473e-41.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014856-46.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cb7-64.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cd6-81.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ce2-83.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cfd-106.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d13-114.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cf3-100.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d09-133.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d72-129.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d20-119.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d42-126.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cea-94.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cbf-74.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015caf-60.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012272-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002d000000014508-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00080000000145c7-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000146cd-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002d000000014514-32.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014733-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001473e-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014856-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cb7-64.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cd6-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ce2-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cfd-106.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d13-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cf3-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d09-133.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d72-129.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d20-119.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d42-126.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cea-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cbf-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015caf-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral1/memory/1260-0-0x000000013F620000-0x000000013F971000-memory.dmp	UPX
behavioral1/files/0x000b000000012272-3.dat	UPX
behavioral1/memory/1788-7-0x000000013F590000-0x000000013F8E1000-memory.dmp	UPX
behavioral1/files/0x002d000000014508-11.dat	UPX
behavioral1/memory/2372-15-0x000000013F330000-0x000000013F681000-memory.dmp	UPX
behavioral1/files/0x00080000000145c7-10.dat	UPX
behavioral1/memory/3040-21-0x000000013F7B0000-0x000000013FB01000-memory.dmp	UPX
behavioral1/files/0x00070000000146cd-26.dat	UPX
behavioral1/files/0x002d000000014514-32.dat	UPX
behavioral1/memory/2796-33-0x000000013FA90000-0x000000013FDE1000-memory.dmp	UPX
behavioral1/files/0x0007000000014733-34.dat	UPX
behavioral1/memory/2788-39-0x000000013FF70000-0x00000001402C1000-memory.dmp	UPX
behavioral1/memory/2732-29-0x000000013F390000-0x000000013F6E1000-memory.dmp	UPX
behavioral1/files/0x000700000001473e-41.dat	UPX
behavioral1/files/0x0007000000014856-46.dat	UPX
behavioral1/memory/3044-47-0x000000013FC70000-0x000000013FFC1000-memory.dmp	UPX
behavioral1/memory/1260-42-0x000000013F620000-0x000000013F971000-memory.dmp	UPX
behavioral1/files/0x0007000000015cb7-64.dat	UPX
behavioral1/memory/2700-63-0x000000013F1C0000-0x000000013F511000-memory.dmp	UPX
behavioral1/memory/2552-69-0x000000013F9F0000-0x000000013FD41000-memory.dmp	UPX
behavioral1/memory/2968-75-0x000000013FBE0000-0x000000013FF31000-memory.dmp	UPX
behavioral1/files/0x0006000000015cd6-81.dat	UPX
behavioral1/files/0x0006000000015ce2-83.dat	UPX
behavioral1/memory/3044-89-0x000000013FC70000-0x000000013FFC1000-memory.dmp	UPX
behavioral1/memory/2752-96-0x000000013FC70000-0x000000013FFC1000-memory.dmp	UPX
behavioral1/files/0x0006000000015cfd-106.dat	UPX
behavioral1/files/0x0006000000015d13-114.dat	UPX
behavioral1/files/0x0006000000015cf3-100.dat	UPX
behavioral1/files/0x0006000000015d09-133.dat	UPX
behavioral1/files/0x0006000000015d72-129.dat	UPX
behavioral1/files/0x0006000000015d20-119.dat	UPX
behavioral1/files/0x0006000000015d42-126.dat	UPX
behavioral1/memory/2776-97-0x000000013F410000-0x000000013F761000-memory.dmp	UPX
behavioral1/files/0x0006000000015cea-94.dat	UPX
behavioral1/memory/1924-90-0x000000013F330000-0x000000013F681000-memory.dmp	UPX
behavioral1/memory/2488-84-0x000000013F900000-0x000000013FC51000-memory.dmp	UPX
behavioral1/memory/2788-78-0x000000013FF70000-0x00000001402C1000-memory.dmp	UPX
behavioral1/files/0x0007000000015cbf-74.dat	UPX
behavioral1/memory/2796-71-0x000000013FA90000-0x000000013FDE1000-memory.dmp	UPX
behavioral1/memory/3040-62-0x000000013F7B0000-0x000000013FB01000-memory.dmp	UPX
behavioral1/files/0x0008000000015caf-60.dat	UPX
behavioral1/memory/2752-59-0x000000013FC70000-0x000000013FFC1000-memory.dmp	UPX
behavioral1/memory/2372-58-0x000000013F330000-0x000000013F681000-memory.dmp	UPX
behavioral1/memory/1788-55-0x000000013F590000-0x000000013F8E1000-memory.dmp	UPX
behavioral1/memory/2552-140-0x000000013F9F0000-0x000000013FD41000-memory.dmp	UPX
behavioral1/memory/1260-142-0x000000013F620000-0x000000013F971000-memory.dmp	UPX
behavioral1/memory/2968-152-0x000000013FBE0000-0x000000013FF31000-memory.dmp	UPX
behavioral1/memory/2700-151-0x000000013F1C0000-0x000000013F511000-memory.dmp	UPX
behavioral1/memory/2776-157-0x000000013F410000-0x000000013F761000-memory.dmp	UPX
behavioral1/memory/2844-158-0x000000013FF00000-0x0000000140251000-memory.dmp	UPX
behavioral1/memory/1792-159-0x000000013F1B0000-0x000000013F501000-memory.dmp	UPX
behavioral1/memory/2188-164-0x000000013FB60000-0x000000013FEB1000-memory.dmp	UPX
behavioral1/memory/2428-162-0x000000013F560000-0x000000013F8B1000-memory.dmp	UPX
behavioral1/memory/1264-161-0x000000013F940000-0x000000013FC91000-memory.dmp	UPX
behavioral1/memory/1984-160-0x000000013FD30000-0x0000000140081000-memory.dmp	UPX
behavioral1/memory/2840-163-0x000000013F950000-0x000000013FCA1000-memory.dmp	UPX
behavioral1/memory/1924-156-0x000000013F330000-0x000000013F681000-memory.dmp	UPX
behavioral1/memory/2488-155-0x000000013F900000-0x000000013FC51000-memory.dmp	UPX
behavioral1/memory/1260-166-0x000000013F620000-0x000000013F971000-memory.dmp	UPX
behavioral1/memory/1788-214-0x000000013F590000-0x000000013F8E1000-memory.dmp	UPX
behavioral1/memory/2372-216-0x000000013F330000-0x000000013F681000-memory.dmp	UPX
behavioral1/memory/3040-218-0x000000013F7B0000-0x000000013FB01000-memory.dmp	UPX
behavioral1/memory/2732-220-0x000000013F390000-0x000000013F6E1000-memory.dmp	UPX
behavioral1/memory/2796-228-0x000000013FA90000-0x000000013FDE1000-memory.dmp	UPX

XMRig Miner payload 40 IoCs

miner

resource	yara_rule
behavioral1/memory/2732-29-0x000000013F390000-0x000000013F6E1000-memory.dmp	xmrig
behavioral1/memory/1260-42-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/3044-89-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/2752-96-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/1260-79-0x00000000021B0000-0x0000000002501000-memory.dmp	xmrig
behavioral1/memory/2788-78-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/1260-72-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/2796-71-0x000000013FA90000-0x000000013FDE1000-memory.dmp	xmrig
behavioral1/memory/3040-62-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/2372-58-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/1788-55-0x000000013F590000-0x000000013F8E1000-memory.dmp	xmrig
behavioral1/memory/2552-140-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig
behavioral1/memory/1260-142-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/2968-152-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/2700-151-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/2776-157-0x000000013F410000-0x000000013F761000-memory.dmp	xmrig
behavioral1/memory/2844-158-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/1792-159-0x000000013F1B0000-0x000000013F501000-memory.dmp	xmrig
behavioral1/memory/2188-164-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2428-162-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/1264-161-0x000000013F940000-0x000000013FC91000-memory.dmp	xmrig
behavioral1/memory/1984-160-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2840-163-0x000000013F950000-0x000000013FCA1000-memory.dmp	xmrig
behavioral1/memory/1924-156-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/2488-155-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/1260-166-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/1788-214-0x000000013F590000-0x000000013F8E1000-memory.dmp	xmrig
behavioral1/memory/2372-216-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/3040-218-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/2732-220-0x000000013F390000-0x000000013F6E1000-memory.dmp	xmrig
behavioral1/memory/2796-228-0x000000013FA90000-0x000000013FDE1000-memory.dmp	xmrig
behavioral1/memory/2788-240-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2752-244-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/3044-243-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/2552-246-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig
behavioral1/memory/2776-250-0x000000013F410000-0x000000013F761000-memory.dmp	xmrig
behavioral1/memory/2488-249-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/2700-254-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/2968-256-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/1924-259-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1788	CNOuPWa.exe
2372	MjFImqY.exe
3040	igoyOUS.exe
2732	JtDWUFd.exe
2796	rRKcMFX.exe
2788	rAsWdkJ.exe
3044	nuUciwd.exe
2752	apvnSwb.exe
2700	NiVgHNl.exe
2552	nLqcKJZ.exe
2968	mWzleJq.exe
2488	BnFdVRx.exe
1924	SUNDXIF.exe
2776	tSbMTAQ.exe
2844	CnoFHNp.exe
1792	kzimpTo.exe
1264	BOGbRfZ.exe
2840	DFVYQvY.exe
1984	nKWRkTY.exe
2428	FLVaQZc.exe
2188	SUuEYAj.exe

Loads dropped DLL 21 IoCs

pid	Process
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1260-0-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/files/0x000b000000012272-3.dat	upx
behavioral1/memory/1788-7-0x000000013F590000-0x000000013F8E1000-memory.dmp	upx
behavioral1/files/0x002d000000014508-11.dat	upx
behavioral1/memory/2372-15-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/files/0x00080000000145c7-10.dat	upx
behavioral1/memory/3040-21-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/files/0x00070000000146cd-26.dat	upx
behavioral1/files/0x002d000000014514-32.dat	upx
behavioral1/memory/2796-33-0x000000013FA90000-0x000000013FDE1000-memory.dmp	upx
behavioral1/files/0x0007000000014733-34.dat	upx
behavioral1/memory/2788-39-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2732-29-0x000000013F390000-0x000000013F6E1000-memory.dmp	upx
behavioral1/files/0x000700000001473e-41.dat	upx
behavioral1/files/0x0007000000014856-46.dat	upx
behavioral1/memory/3044-47-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx
behavioral1/memory/1260-42-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/files/0x0007000000015cb7-64.dat	upx
behavioral1/memory/2700-63-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/memory/2552-69-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
behavioral1/memory/2968-75-0x000000013FBE0000-0x000000013FF31000-memory.dmp	upx
behavioral1/files/0x0006000000015cd6-81.dat	upx
behavioral1/files/0x0006000000015ce2-83.dat	upx
behavioral1/memory/3044-89-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx
behavioral1/memory/2752-96-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx
behavioral1/files/0x0006000000015cfd-106.dat	upx
behavioral1/files/0x0006000000015d13-114.dat	upx
behavioral1/files/0x0006000000015cf3-100.dat	upx
behavioral1/files/0x0006000000015d09-133.dat	upx
behavioral1/files/0x0006000000015d72-129.dat	upx
behavioral1/files/0x0006000000015d20-119.dat	upx
behavioral1/files/0x0006000000015d42-126.dat	upx
behavioral1/memory/2776-97-0x000000013F410000-0x000000013F761000-memory.dmp	upx
behavioral1/files/0x0006000000015cea-94.dat	upx
behavioral1/memory/1924-90-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/memory/2488-84-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/memory/2788-78-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/files/0x0007000000015cbf-74.dat	upx
behavioral1/memory/2796-71-0x000000013FA90000-0x000000013FDE1000-memory.dmp	upx
behavioral1/memory/3040-62-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/files/0x0008000000015caf-60.dat	upx
behavioral1/memory/2752-59-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx
behavioral1/memory/2372-58-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/memory/1788-55-0x000000013F590000-0x000000013F8E1000-memory.dmp	upx
behavioral1/memory/2552-140-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
behavioral1/memory/1260-142-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/2968-152-0x000000013FBE0000-0x000000013FF31000-memory.dmp	upx
behavioral1/memory/2700-151-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/memory/2776-157-0x000000013F410000-0x000000013F761000-memory.dmp	upx
behavioral1/memory/2844-158-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/1792-159-0x000000013F1B0000-0x000000013F501000-memory.dmp	upx
behavioral1/memory/2188-164-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2428-162-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/memory/1264-161-0x000000013F940000-0x000000013FC91000-memory.dmp	upx
behavioral1/memory/1984-160-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/memory/2840-163-0x000000013F950000-0x000000013FCA1000-memory.dmp	upx
behavioral1/memory/1924-156-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/memory/2488-155-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/memory/1260-166-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/1788-214-0x000000013F590000-0x000000013F8E1000-memory.dmp	upx
behavioral1/memory/2372-216-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/memory/3040-218-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/2732-220-0x000000013F390000-0x000000013F6E1000-memory.dmp	upx
behavioral1/memory/2796-228-0x000000013FA90000-0x000000013FDE1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\nuUciwd.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\apvnSwb.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nLqcKJZ.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tSbMTAQ.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nKWRkTY.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JtDWUFd.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rRKcMFX.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rAsWdkJ.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mWzleJq.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SUNDXIF.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CnoFHNp.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BOGbRfZ.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FLVaQZc.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CNOuPWa.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MjFImqY.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NiVgHNl.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SUuEYAj.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DFVYQvY.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\igoyOUS.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BnFdVRx.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kzimpTo.exe	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1788	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	29
PID 1260 wrote to memory of 1788	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	29
PID 1260 wrote to memory of 1788	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	29
PID 1260 wrote to memory of 2372	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	30
PID 1260 wrote to memory of 2372	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	30
PID 1260 wrote to memory of 2372	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	30
PID 1260 wrote to memory of 3040	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	31
PID 1260 wrote to memory of 3040	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	31
PID 1260 wrote to memory of 3040	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	31
PID 1260 wrote to memory of 2732	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	32
PID 1260 wrote to memory of 2732	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	32
PID 1260 wrote to memory of 2732	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	32
PID 1260 wrote to memory of 2796	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	33
PID 1260 wrote to memory of 2796	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	33
PID 1260 wrote to memory of 2796	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	33
PID 1260 wrote to memory of 2788	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	34
PID 1260 wrote to memory of 2788	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	34
PID 1260 wrote to memory of 2788	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	34
PID 1260 wrote to memory of 3044	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	35
PID 1260 wrote to memory of 3044	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	35
PID 1260 wrote to memory of 3044	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	35
PID 1260 wrote to memory of 2752	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	36
PID 1260 wrote to memory of 2752	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	36
PID 1260 wrote to memory of 2752	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	36
PID 1260 wrote to memory of 2700	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	37
PID 1260 wrote to memory of 2700	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	37
PID 1260 wrote to memory of 2700	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	37
PID 1260 wrote to memory of 2552	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	38
PID 1260 wrote to memory of 2552	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	38
PID 1260 wrote to memory of 2552	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	38
PID 1260 wrote to memory of 2968	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	39
PID 1260 wrote to memory of 2968	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	39
PID 1260 wrote to memory of 2968	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	39
PID 1260 wrote to memory of 2488	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	40
PID 1260 wrote to memory of 2488	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	40
PID 1260 wrote to memory of 2488	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	40
PID 1260 wrote to memory of 1924	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	41
PID 1260 wrote to memory of 1924	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	41
PID 1260 wrote to memory of 1924	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	41
PID 1260 wrote to memory of 2776	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	42
PID 1260 wrote to memory of 2776	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	42
PID 1260 wrote to memory of 2776	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	42
PID 1260 wrote to memory of 2844	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	43
PID 1260 wrote to memory of 2844	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	43
PID 1260 wrote to memory of 2844	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	43
PID 1260 wrote to memory of 1792	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	44
PID 1260 wrote to memory of 1792	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	44
PID 1260 wrote to memory of 1792	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	44
PID 1260 wrote to memory of 1984	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	45
PID 1260 wrote to memory of 1984	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	45
PID 1260 wrote to memory of 1984	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	45
PID 1260 wrote to memory of 1264	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	46
PID 1260 wrote to memory of 1264	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	46
PID 1260 wrote to memory of 1264	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	46
PID 1260 wrote to memory of 2428	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	47
PID 1260 wrote to memory of 2428	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	47
PID 1260 wrote to memory of 2428	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	47
PID 1260 wrote to memory of 2840	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	48
PID 1260 wrote to memory of 2840	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	48
PID 1260 wrote to memory of 2840	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	48
PID 1260 wrote to memory of 2188	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	49
PID 1260 wrote to memory of 2188	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	49
PID 1260 wrote to memory of 2188	1260	2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_ed398ae47512513b1039c6c730bbfee4_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\System\CNOuPWa.exe
  C:\Windows\System\CNOuPWa.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System\MjFImqY.exe
  C:\Windows\System\MjFImqY.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\igoyOUS.exe
  C:\Windows\System\igoyOUS.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\JtDWUFd.exe
  C:\Windows\System\JtDWUFd.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\rRKcMFX.exe
  C:\Windows\System\rRKcMFX.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\rAsWdkJ.exe
  C:\Windows\System\rAsWdkJ.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\nuUciwd.exe
  C:\Windows\System\nuUciwd.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\apvnSwb.exe
  C:\Windows\System\apvnSwb.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\NiVgHNl.exe
  C:\Windows\System\NiVgHNl.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\nLqcKJZ.exe
  C:\Windows\System\nLqcKJZ.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\mWzleJq.exe
  C:\Windows\System\mWzleJq.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\BnFdVRx.exe
  C:\Windows\System\BnFdVRx.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\SUNDXIF.exe
  C:\Windows\System\SUNDXIF.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\tSbMTAQ.exe
  C:\Windows\System\tSbMTAQ.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\CnoFHNp.exe
  C:\Windows\System\CnoFHNp.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\kzimpTo.exe
  C:\Windows\System\kzimpTo.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\nKWRkTY.exe
  C:\Windows\System\nKWRkTY.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\BOGbRfZ.exe
  C:\Windows\System\BOGbRfZ.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System\FLVaQZc.exe
  C:\Windows\System\FLVaQZc.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\DFVYQvY.exe
  C:\Windows\System\DFVYQvY.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\SUuEYAj.exe
  C:\Windows\System\SUuEYAj.exe
  2⤵
  - Executes dropped EXE
  PID:2188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BnFdVRx.exe

Filesize
5.2MB

MD5
a37739597bea2489b37321984022375e

SHA1
9665eda95a0d914087650eb2b2c9b2ddfa81c608

SHA256
dec57f0bce78ca81b4e14370f19ae4b1147479300ebcd5773eebc1160b6c9592

SHA512
99cd3e6d6d7da653979481cc368ba27d407f4d4e0bec32c907010da2cc81c8c027ff53fd415cf5fc0d9cc149a77069fe2beaaedceb2c151d4426d8772367877e

Download Submit
C:\Windows\system\CnoFHNp.exe

Filesize
5.2MB

MD5
e2497bdcf07d478a13a30061aed63f51

SHA1
677200aaf8263da09142a6c6a8dba141b9eff6f0

SHA256
2598a11136125e4f431ff12da3d22fb887e501220acb7e09c219f84339c90ce3

SHA512
04e80e04065e0668060c90ca022a6e18454983b8d8ae273fc58f2fea5ec5fd012843ea9c23b687720fe604ae825d1ac5097b1726982ef51bfd917e2b4ffbb636

Download Submit
C:\Windows\system\DFVYQvY.exe

Filesize
5.2MB

MD5
4876da39455f7939dda1147ce6ba2dad

SHA1
e575bab02c6d19a1c8acce26a2661ed19243c9bd

SHA256
87f9748f7fdd38bcdc68613ead2b83684431eaf2f5b3a53cca9ca04f5d89350d

SHA512
85227e9bb3a1db6526b9076903bcb13586244e1f621b51a46d7f93ac6c2aab683ae8fdd48db031cbdce69ad8386e04d730f225c8e474024bd559c3b396b0ab5b

Download Submit
C:\Windows\system\JtDWUFd.exe

Filesize
5.2MB

MD5
51e7c5f82a16e51453fd4f17535a1843

SHA1
a2bf584316a84e9d51185f2b93653d0ba8397220

SHA256
e2fc6a22fd818e9a9518dc140e75ce2db711a037197ce6544fb3ecf0cae3c226

SHA512
de14ac16c4a1858c3602ef4a5aad08d94cdb0f931e4fb8e1cc869a2c48d30f39f6a0b8afb8093dffcc399be9a634bac63767d430bebbb0fd2104b2f7d54d6a0f

Download Submit
C:\Windows\system\MjFImqY.exe

Filesize
5.2MB

MD5
cc8e8207ecc409255de08cca354c5240

SHA1
fa88fce5c7511b171b961370572ae0890b320f19

SHA256
27e70a9c3ed17f0a0575dacf1a326c6c1915c530aa21ec829bb96265bac924c2

SHA512
83f7e818481c0ab4abe3b7c4fac80dd34e6d30f4fcf6b6be68500c68244c3a4ca4a875e0ebb22b9cd78870081072b689d2f72c286c29d99f38f7e2465dce77bf

Download Submit
C:\Windows\system\NiVgHNl.exe

Filesize
5.2MB

MD5
6af730ef2db95367db94d1b7e99dfec3

SHA1
530e5534bc34afe4c01d4e96b2759da41e95cf3f

SHA256
ba1294d9889fcc6865edcf94f1a746aca0beab1c0b36ddc2d4a077d368b4d6a1

SHA512
f1cea73c3c3e759dace7b57a231fe802eb06b07a58f87c648862b97e5181903955ca52e381f22a8e3cd62fc2ce3b0fd174c90e0e9003a42dcf9f99d630d02b68

Download Submit
C:\Windows\system\igoyOUS.exe

Filesize
5.2MB

MD5
0c42f651c13e6c436f0a24bd97a8695f

SHA1
f4df28259e188588396705bc37261a7d4dbbb408

SHA256
e9ca123cee5ebfc2047101deecae5622870f3afe5cdc53c8c6ae71bb09ad19e9

SHA512
4f13f720d6be2cd635074a1fe92c3835d2d25b91d97fda81a3d60fd2b704ed8b1219ae8ca99b9a285e9e11967cf506a140847228c0ad0ea5980ac60796f70012

Download Submit
C:\Windows\system\mWzleJq.exe

Filesize
5.2MB

MD5
119fdbc426efbcdaeff6add7bf19ca8f

SHA1
b6ea8ac300e1a53a4b05e9ea1a74f24fc351228e

SHA256
0f795825f6125eef4418a84dec3a9be78d0f4889f9d53c1fac684a9b7a04a302

SHA512
763bcfeaad6aca0218c1f12b2af86fb86fb2547e5e64d57b3dcfa5ea039114256bbf76e133360cdb01d03efb1aa915f36acf4dcf60504c07380fe5fdcfda0d0e

Download Submit
C:\Windows\system\nKWRkTY.exe

Filesize
5.2MB

MD5
257e5a38bbb79cd4d9fe3f34c96a7d96

SHA1
57a1182de965e6d590294bebd9a563df6d513e26

SHA256
821eb211c26692ec6765cf6a636b237a53e3f7dd08a627c763f03cf11d992d64

SHA512
f9a8911b03ec4007271eee86eaabded9083444f4a816c6c0e0dfd5cab5d68c2d01895dc3a74200cc6423ae2c0f3ee0d5c89c5a8c1ff9b0a08b1f0a8e6fb28733

Download Submit
C:\Windows\system\rRKcMFX.exe

Filesize
5.2MB

MD5
707a804b407b9b18fc76c74c14a51327

SHA1
35217e90f205d21751fd1d9f95b52d15987dc1f2

SHA256
b671122a5d200f1bd726b902d2eaa9dfbeec7540bead01eed05e621a45db0aa2

SHA512
b72fa015515d0d5350c73889b32ea74a6aa99594277c59ae022ebc35dae0867fcce686a96e5ceae22d4e8ebcaa53d15958ee2ce729813255d460aa3d8d329e62

Download Submit
C:\Windows\system\tSbMTAQ.exe

Filesize
5.2MB

MD5
f1ffd1c96da67e79c4d94056a8a947c2

SHA1
c07f775c4f7bee2bddde83c8ce473aff6df94ead

SHA256
7dccb723fd22697449571bceed9588f5f9ed62ad6b66795d8c491bebd53e76f3

SHA512
f80689ee427c4dba76c6fdb71eaa11dd62e0d3f6822b42c140924bed947e8fe09a19f4465686c28b5e048fb42525b14a2be02ea082cea501f5fb320fecbaff66

Download Submit
\Windows\system\BOGbRfZ.exe

Filesize
5.2MB

MD5
6dfa8a0973cf8f21ad24fd0bc7bec6ae

SHA1
b7aba4ff65407df812db559cfa401ec3ac824df6

SHA256
051a3abd76f1023ffeee8b0af7397846f872951d3ab9991a04a25ba424e52e87

SHA512
f6f848dea629f034aefe5266aa0c138c3962967b24460b37f80d394dedfda71da46f7e2524b5249ad55c783ccc8ed67211bf14ec76cc453218dcd742d3c2610c

Download Submit
\Windows\system\CNOuPWa.exe

Filesize
5.2MB

MD5
6b9e3bca061e97f018697a9a8b8ac8c6

SHA1
5c914e0dc3409ed2f6bf2fd72161a1a78aef45d2

SHA256
4986dcf3e39a0f3342b8453f23cbe898be93746c63e75b7ec88db1b9306ec5a4

SHA512
73e489d204a9452b32662c0d346c8d70ab9fdb8cf000b0b1e1817988adfe839689990717ee3c34cfd931f3580719eb61dedcf0e44994cdf2d92203dbe2fb2a30

Download Submit
\Windows\system\FLVaQZc.exe

Filesize
5.2MB

MD5
409b05d7ba8fde49314318791b63e333

SHA1
ae4ff2b8d1cd9b3c7c383ed922cecf836c3ef48f

SHA256
a51c2436045caaf6577f282b681c4d8e8208af61c14ada2438d432590e7224ba

SHA512
62b93763be75c88edee36c4cd96238a66171dccc3df7915ee9b9195143daf1b5040531f27debc3f514c580a21ad97757602bdb3acca98e4bc746dc7fc66f355a

Download Submit
\Windows\system\SUNDXIF.exe

Filesize
5.2MB

MD5
555fbc6016baddc498d996d67bdefef0

SHA1
5dab086beab2f7c70e3c24043be17b29a9ce9a63

SHA256
caac5dabdf78c7fc27595f4b8c953bd1e3c9fbcd7833be57f2f9ca11136b3c89

SHA512
10ba4e0a31b6f0f98b2ec787e40d555aa88db48afb148ecdf82506688e45dd97281e27697af4276a98cfa2bf104001a26a43e15d31172519ae807ff7e7591366

Download Submit
\Windows\system\SUuEYAj.exe

Filesize
5.2MB

MD5
09235b7d5e2d5524d8b37a8849914ea0

SHA1
f7e5f39a197ab089837d3eba1b46e196fc540a78

SHA256
7fd191f66d85edb824692e35355f5e17ff454a96d8342b3587555ddccb6d9ec1

SHA512
0b1538628b485ceb042519d845503b59fc02c62d8d8d466acf9a0ed1cfc046136b89e02ac6f5d3af5abe98d47bcad0581591a98ef38d70b3cb90fa3f9faedd55

Download Submit
\Windows\system\apvnSwb.exe

Filesize
5.2MB

MD5
0d689616c7b3bac900380e636048dbae

SHA1
0bf0cce85713004f7903dd55f345749576ce4d9c

SHA256
aa3d9b07a3c248910f62c7a98f91c051850e7542318cef52b190f2887d71a5f5

SHA512
eead0e94d264cd028f211f4271a16ad9a8b6224130a9cca3eadde7a34c51aa55b2fa5519bf223a14a076c72ff7cfd7c4f3326d160c6ccecae6a8029dc1b3d454

Download Submit
\Windows\system\kzimpTo.exe

Filesize
5.2MB

MD5
b7eeeb3b8ebd352d2693538f71b70f86

SHA1
7c30e9290ec3fd7430260e210352e4389e57a441

SHA256
aba7b4ead645b45de4880900349207521f7da56c9e91a818d4bd638405baaa2f

SHA512
c0bb55b121dc98914aff23d50eca51a1cdcececabf982d87ee8622da5451001d0b1b8b9d174d9119d6ea37b02307bfb1b5242b5ecc48c7bbf36641bbbb4c07da

Download Submit
\Windows\system\nLqcKJZ.exe

Filesize
5.2MB

MD5
9036af00e2efb6f8bbab67e826f9a5a4

SHA1
0a8162fac365e4cbb0731939be995efee5afc41c

SHA256
8f6075c193c7b3904237c8c6e97c1ad46455518a8ffc925974c0695beb8a2853

SHA512
1739e9921e89cfc2068b4c488bae77a6882b1c04571ea330021c29a0656925184c16350bfd99a8f5ae4718bcf1686ec3798452e575ff53a6b09c6152fd84b43d

Download Submit
\Windows\system\nuUciwd.exe

Filesize
5.2MB

MD5
c36d44dddfa03149fe1085a09084bdf9

SHA1
1a96afb7b532fd80d056d66a1c041d4d3e981453

SHA256
54a0d7177b8cdca4cbf5436060d589b7b3ee3a5ed6cb890ddb1c1d471bb01ac6

SHA512
4476d5c0d45475a4f9896774976d186a7bddbfdbc91aa8be2fc562536bab7afe2f620f22621c8b0d4538025bdaf78d4c5f645a3fdd1304dc5425a93039590785

Download Submit
\Windows\system\rAsWdkJ.exe

Filesize
5.2MB

MD5
970d7595b607acc4df01d939a6fa27a2

SHA1
2aea7687ae0c026bc53dc01fb29c40fc1bcd5409

SHA256
910c2e5e412e37788423355fe80df59b2f175e6e0f6c2d40ebf052ad656a97d7

SHA512
281a61f9ac4b6f6f45aeaf07cac16bc874ff8a5144b5415d91c07078eb669159b7f766e0ba374315de342ccb973ed83d2a84664e446ba71492977591493d5848

Download Submit
memory/1260-79-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/1260-86-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/1260-57-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/1260-72-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/1260-188-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/1260-42-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/1260-166-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/1260-0-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/1260-141-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/1260-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1260-139-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/1260-36-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/1260-165-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/1260-20-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/1260-92-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/1260-102-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/1260-13-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/1260-142-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/1260-67-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/1264-161-0x000000013F940000-0x000000013FC91000-memory.dmp

Filesize
3.3MB

Download
memory/1788-55-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/1788-7-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/1788-214-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/1792-159-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download
memory/1924-90-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/1924-156-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/1924-259-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/1984-160-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2188-164-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2372-15-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/2372-216-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/2372-58-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/2428-162-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-84-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2488-155-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2488-249-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2552-140-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2552-246-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2552-69-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2700-254-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/2700-151-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/2700-63-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/2732-29-0x000000013F390000-0x000000013F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2732-220-0x000000013F390000-0x000000013F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2752-59-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2752-96-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2752-244-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2776-250-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2776-97-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2776-157-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2788-78-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-240-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-39-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-228-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-33-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-71-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2840-163-0x000000013F950000-0x000000013FCA1000-memory.dmp

Filesize
3.3MB

Download
memory/2844-158-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2968-256-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/2968-75-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/2968-152-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/3040-62-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/3040-21-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/3040-218-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/3044-243-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-89-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-47-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download