cobaltstrike | 98fdb3952f5fd096a4b3f7605d5dbd58ef52ed8efc2984ba87db8f263f9647f6

Analysis

max time kernel
134s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

f4ec19f830dffa2caae36960f513434d
SHA1

e1e42c722735333949fde4cd1901dfb8d4f81d82
SHA256

98fdb3952f5fd096a4b3f7605d5dbd58ef52ed8efc2984ba87db8f263f9647f6
SHA512

aa484a3a3d0afc8cf60caf82648c992198db5e62d63faf8e5eb1372508ed5195448495dd546d731fae6f5a863f24870d4c2475db52ae95893a01ba54247b56fe
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUo:Q+856utgpPF8u/7o

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d00000001232c-3.dat	cobalt_reflective_dll
behavioral1/files/0x0032000000013a6e-11.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014186-10.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014207-20.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014246-27.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014312-32.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014a9a-35.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014b4c-43.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015653-67.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001565d-71.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c9e-85.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c87-83.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015684-79.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015677-75.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001564f-63.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001535e-59.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014fa2-55.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014e71-51.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014bbc-47.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014b18-39.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014228-24.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001232c-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0032000000013a6e-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014186-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014207-20.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014246-27.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014312-32.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014a9a-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014b4c-43.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015653-67.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001565d-71.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015c9e-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015c87-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015684-79.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015677-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001564f-63.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001535e-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014fa2-55.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014e71-51.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014bbc-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014b18-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014228-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 53 IoCs

resource	yara_rule
behavioral1/memory/2264-0-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/files/0x000d00000001232c-3.dat	UPX
behavioral1/files/0x0032000000013a6e-11.dat	UPX
behavioral1/memory/2264-9-0x0000000002330000-0x0000000002684000-memory.dmp	UPX
behavioral1/files/0x0008000000014186-10.dat	UPX
behavioral1/files/0x0007000000014207-20.dat	UPX
behavioral1/files/0x0007000000014246-27.dat	UPX
behavioral1/files/0x0007000000014312-32.dat	UPX
behavioral1/files/0x0008000000014a9a-35.dat	UPX
behavioral1/files/0x0006000000014b4c-43.dat	UPX
behavioral1/files/0x0006000000015653-67.dat	UPX
behavioral1/files/0x000600000001565d-71.dat	UPX
behavioral1/files/0x0006000000015c9e-85.dat	UPX
behavioral1/files/0x0006000000015c87-83.dat	UPX
behavioral1/files/0x0006000000015684-79.dat	UPX
behavioral1/files/0x0006000000015677-75.dat	UPX
behavioral1/files/0x000600000001564f-63.dat	UPX
behavioral1/files/0x000600000001535e-59.dat	UPX
behavioral1/memory/2628-112-0x000000013F800000-0x000000013FB54000-memory.dmp	UPX
behavioral1/memory/2560-114-0x000000013FB20000-0x000000013FE74000-memory.dmp	UPX
behavioral1/memory/2516-95-0x000000013F7C0000-0x000000013FB14000-memory.dmp	UPX
behavioral1/files/0x0006000000014fa2-55.dat	UPX
behavioral1/files/0x0006000000014e71-51.dat	UPX
behavioral1/files/0x0006000000014bbc-47.dat	UPX
behavioral1/files/0x0006000000014b18-39.dat	UPX
behavioral1/files/0x0007000000014228-24.dat	UPX
behavioral1/memory/2648-115-0x000000013FB70000-0x000000013FEC4000-memory.dmp	UPX
behavioral1/memory/2680-119-0x000000013F960000-0x000000013FCB4000-memory.dmp	UPX
behavioral1/memory/2580-121-0x000000013FB90000-0x000000013FEE4000-memory.dmp	UPX
behavioral1/memory/2884-129-0x000000013F0C0000-0x000000013F414000-memory.dmp	UPX
behavioral1/memory/2984-131-0x000000013F180000-0x000000013F4D4000-memory.dmp	UPX
behavioral1/memory/2740-130-0x000000013FF10000-0x0000000140264000-memory.dmp	UPX
behavioral1/memory/2480-127-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
behavioral1/memory/2424-125-0x000000013F3E0000-0x000000013F734000-memory.dmp	UPX
behavioral1/memory/1724-123-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/memory/2432-120-0x000000013FE40000-0x0000000140194000-memory.dmp	UPX
behavioral1/memory/2096-117-0x000000013F0E0000-0x000000013F434000-memory.dmp	UPX
behavioral1/memory/2264-132-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/2516-133-0x000000013F7C0000-0x000000013FB14000-memory.dmp	UPX
behavioral1/memory/2740-134-0x000000013FF10000-0x0000000140264000-memory.dmp	UPX
behavioral1/memory/2560-138-0x000000013FB20000-0x000000013FE74000-memory.dmp	UPX
behavioral1/memory/2628-137-0x000000013F800000-0x000000013FB54000-memory.dmp	UPX
behavioral1/memory/2516-136-0x000000013F7C0000-0x000000013FB14000-memory.dmp	UPX
behavioral1/memory/2984-135-0x000000013F180000-0x000000013F4D4000-memory.dmp	UPX
behavioral1/memory/1724-147-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/memory/2096-146-0x000000013F0E0000-0x000000013F434000-memory.dmp	UPX
behavioral1/memory/2480-145-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
behavioral1/memory/2680-144-0x000000013F960000-0x000000013FCB4000-memory.dmp	UPX
behavioral1/memory/2424-143-0x000000013F3E0000-0x000000013F734000-memory.dmp	UPX
behavioral1/memory/2432-142-0x000000013FE40000-0x0000000140194000-memory.dmp	UPX
behavioral1/memory/2580-141-0x000000013FB90000-0x000000013FEE4000-memory.dmp	UPX
behavioral1/memory/2884-140-0x000000013F0C0000-0x000000013F414000-memory.dmp	UPX
behavioral1/memory/2648-139-0x000000013FB70000-0x000000013FEC4000-memory.dmp	UPX

XMRig Miner payload 56 IoCs

miner

resource	yara_rule
behavioral1/memory/2264-0-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/files/0x000d00000001232c-3.dat	xmrig
behavioral1/files/0x0032000000013a6e-11.dat	xmrig
behavioral1/memory/2264-9-0x0000000002330000-0x0000000002684000-memory.dmp	xmrig
behavioral1/files/0x0008000000014186-10.dat	xmrig
behavioral1/files/0x0007000000014207-20.dat	xmrig
behavioral1/files/0x0007000000014246-27.dat	xmrig
behavioral1/files/0x0007000000014312-32.dat	xmrig
behavioral1/files/0x0008000000014a9a-35.dat	xmrig
behavioral1/files/0x0006000000014b4c-43.dat	xmrig
behavioral1/files/0x0006000000015653-67.dat	xmrig
behavioral1/files/0x000600000001565d-71.dat	xmrig
behavioral1/files/0x0006000000015c9e-85.dat	xmrig
behavioral1/files/0x0006000000015c87-83.dat	xmrig
behavioral1/files/0x0006000000015684-79.dat	xmrig
behavioral1/files/0x0006000000015677-75.dat	xmrig
behavioral1/files/0x000600000001564f-63.dat	xmrig
behavioral1/files/0x000600000001535e-59.dat	xmrig
behavioral1/memory/2628-112-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/2560-114-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
behavioral1/memory/2516-95-0x000000013F7C0000-0x000000013FB14000-memory.dmp	xmrig
behavioral1/files/0x0006000000014fa2-55.dat	xmrig
behavioral1/files/0x0006000000014e71-51.dat	xmrig
behavioral1/files/0x0006000000014bbc-47.dat	xmrig
behavioral1/files/0x0006000000014b18-39.dat	xmrig
behavioral1/files/0x0007000000014228-24.dat	xmrig
behavioral1/memory/2648-115-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/memory/2680-119-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2580-121-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/2264-122-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/2884-129-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/memory/2984-131-0x000000013F180000-0x000000013F4D4000-memory.dmp	xmrig
behavioral1/memory/2740-130-0x000000013FF10000-0x0000000140264000-memory.dmp	xmrig
behavioral1/memory/2480-127-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/memory/2264-126-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/memory/2424-125-0x000000013F3E0000-0x000000013F734000-memory.dmp	xmrig
behavioral1/memory/1724-123-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/2432-120-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/2264-118-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2096-117-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
behavioral1/memory/2264-132-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/2516-133-0x000000013F7C0000-0x000000013FB14000-memory.dmp	xmrig
behavioral1/memory/2740-134-0x000000013FF10000-0x0000000140264000-memory.dmp	xmrig
behavioral1/memory/2560-138-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
behavioral1/memory/2628-137-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/2516-136-0x000000013F7C0000-0x000000013FB14000-memory.dmp	xmrig
behavioral1/memory/2984-135-0x000000013F180000-0x000000013F4D4000-memory.dmp	xmrig
behavioral1/memory/1724-147-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/2096-146-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
behavioral1/memory/2480-145-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/memory/2680-144-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2424-143-0x000000013F3E0000-0x000000013F734000-memory.dmp	xmrig
behavioral1/memory/2432-142-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/2580-141-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/2884-140-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/memory/2648-139-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2740	HeOYSCH.exe
2984	FFbOvDC.exe
2516	horHyaN.exe
2628	tQeOigA.exe
2560	dQGqheX.exe
2648	AqMbrjJ.exe
2096	WhGWudf.exe
2680	bbwAnUt.exe
2432	IGEYzML.exe
2580	YomLwxL.exe
1724	XjDaLuh.exe
2424	xXWqBeT.exe
2480	wSySNkW.exe
2884	TOaUdYH.exe
2852	uKqhtqc.exe
2160	QuBgQci.exe
1552	AfatFUB.exe
1272	TfkYtIc.exe
2384	mtWPYiL.exe
2476	pfGbSch.exe
1028	ucGkIpP.exe

Loads dropped DLL 21 IoCs

pid	Process
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2264-0-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/files/0x000d00000001232c-3.dat	upx
behavioral1/files/0x0032000000013a6e-11.dat	upx
behavioral1/memory/2264-9-0x0000000002330000-0x0000000002684000-memory.dmp	upx
behavioral1/files/0x0008000000014186-10.dat	upx
behavioral1/files/0x0007000000014207-20.dat	upx
behavioral1/files/0x0007000000014246-27.dat	upx
behavioral1/files/0x0007000000014312-32.dat	upx
behavioral1/files/0x0008000000014a9a-35.dat	upx
behavioral1/files/0x0006000000014b4c-43.dat	upx
behavioral1/files/0x0006000000015653-67.dat	upx
behavioral1/files/0x000600000001565d-71.dat	upx
behavioral1/files/0x0006000000015c9e-85.dat	upx
behavioral1/files/0x0006000000015c87-83.dat	upx
behavioral1/files/0x0006000000015684-79.dat	upx
behavioral1/files/0x0006000000015677-75.dat	upx
behavioral1/files/0x000600000001564f-63.dat	upx
behavioral1/files/0x000600000001535e-59.dat	upx
behavioral1/memory/2628-112-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/memory/2560-114-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
behavioral1/memory/2516-95-0x000000013F7C0000-0x000000013FB14000-memory.dmp	upx
behavioral1/files/0x0006000000014fa2-55.dat	upx
behavioral1/files/0x0006000000014e71-51.dat	upx
behavioral1/files/0x0006000000014bbc-47.dat	upx
behavioral1/files/0x0006000000014b18-39.dat	upx
behavioral1/files/0x0007000000014228-24.dat	upx
behavioral1/memory/2648-115-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/memory/2680-119-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2580-121-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/memory/2884-129-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/2984-131-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx
behavioral1/memory/2740-130-0x000000013FF10000-0x0000000140264000-memory.dmp	upx
behavioral1/memory/2480-127-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/memory/2424-125-0x000000013F3E0000-0x000000013F734000-memory.dmp	upx
behavioral1/memory/1724-123-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/2432-120-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/2096-117-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx
behavioral1/memory/2264-132-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/2516-133-0x000000013F7C0000-0x000000013FB14000-memory.dmp	upx
behavioral1/memory/2740-134-0x000000013FF10000-0x0000000140264000-memory.dmp	upx
behavioral1/memory/2560-138-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
behavioral1/memory/2628-137-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/memory/2516-136-0x000000013F7C0000-0x000000013FB14000-memory.dmp	upx
behavioral1/memory/2984-135-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx
behavioral1/memory/1724-147-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/2096-146-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx
behavioral1/memory/2480-145-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/memory/2680-144-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2424-143-0x000000013F3E0000-0x000000013F734000-memory.dmp	upx
behavioral1/memory/2432-142-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/2580-141-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/memory/2884-140-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/2648-139-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\tQeOigA.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dQGqheX.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AqMbrjJ.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TOaUdYH.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AfatFUB.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pfGbSch.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HeOYSCH.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IGEYzML.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XjDaLuh.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TfkYtIc.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mtWPYiL.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WhGWudf.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bbwAnUt.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YomLwxL.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wSySNkW.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uKqhtqc.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QuBgQci.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FFbOvDC.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\horHyaN.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xXWqBeT.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ucGkIpP.exe	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2740	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	29
PID 2264 wrote to memory of 2740	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	29
PID 2264 wrote to memory of 2740	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	29
PID 2264 wrote to memory of 2984	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	30
PID 2264 wrote to memory of 2984	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	30
PID 2264 wrote to memory of 2984	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	30
PID 2264 wrote to memory of 2516	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	31
PID 2264 wrote to memory of 2516	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	31
PID 2264 wrote to memory of 2516	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	31
PID 2264 wrote to memory of 2628	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	32
PID 2264 wrote to memory of 2628	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	32
PID 2264 wrote to memory of 2628	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	32
PID 2264 wrote to memory of 2560	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	33
PID 2264 wrote to memory of 2560	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	33
PID 2264 wrote to memory of 2560	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	33
PID 2264 wrote to memory of 2648	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	34
PID 2264 wrote to memory of 2648	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	34
PID 2264 wrote to memory of 2648	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	34
PID 2264 wrote to memory of 2096	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	35
PID 2264 wrote to memory of 2096	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	35
PID 2264 wrote to memory of 2096	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	35
PID 2264 wrote to memory of 2680	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	36
PID 2264 wrote to memory of 2680	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	36
PID 2264 wrote to memory of 2680	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	36
PID 2264 wrote to memory of 2432	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	37
PID 2264 wrote to memory of 2432	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	37
PID 2264 wrote to memory of 2432	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	37
PID 2264 wrote to memory of 2580	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	38
PID 2264 wrote to memory of 2580	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	38
PID 2264 wrote to memory of 2580	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	38
PID 2264 wrote to memory of 1724	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	39
PID 2264 wrote to memory of 1724	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	39
PID 2264 wrote to memory of 1724	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	39
PID 2264 wrote to memory of 2424	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	40
PID 2264 wrote to memory of 2424	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	40
PID 2264 wrote to memory of 2424	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	40
PID 2264 wrote to memory of 2480	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	41
PID 2264 wrote to memory of 2480	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	41
PID 2264 wrote to memory of 2480	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	41
PID 2264 wrote to memory of 2884	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	42
PID 2264 wrote to memory of 2884	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	42
PID 2264 wrote to memory of 2884	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	42
PID 2264 wrote to memory of 2852	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	43
PID 2264 wrote to memory of 2852	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	43
PID 2264 wrote to memory of 2852	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	43
PID 2264 wrote to memory of 2160	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	44
PID 2264 wrote to memory of 2160	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	44
PID 2264 wrote to memory of 2160	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	44
PID 2264 wrote to memory of 1552	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	45
PID 2264 wrote to memory of 1552	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	45
PID 2264 wrote to memory of 1552	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	45
PID 2264 wrote to memory of 1272	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	46
PID 2264 wrote to memory of 1272	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	46
PID 2264 wrote to memory of 1272	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	46
PID 2264 wrote to memory of 2384	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	47
PID 2264 wrote to memory of 2384	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	47
PID 2264 wrote to memory of 2384	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	47
PID 2264 wrote to memory of 2476	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	48
PID 2264 wrote to memory of 2476	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	48
PID 2264 wrote to memory of 2476	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	48
PID 2264 wrote to memory of 1028	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	49
PID 2264 wrote to memory of 1028	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	49
PID 2264 wrote to memory of 1028	2264	2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_f4ec19f830dffa2caae36960f513434d_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\System\HeOYSCH.exe
  C:\Windows\System\HeOYSCH.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\FFbOvDC.exe
  C:\Windows\System\FFbOvDC.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\horHyaN.exe
  C:\Windows\System\horHyaN.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\tQeOigA.exe
  C:\Windows\System\tQeOigA.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\dQGqheX.exe
  C:\Windows\System\dQGqheX.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\AqMbrjJ.exe
  C:\Windows\System\AqMbrjJ.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\WhGWudf.exe
  C:\Windows\System\WhGWudf.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\bbwAnUt.exe
  C:\Windows\System\bbwAnUt.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\IGEYzML.exe
  C:\Windows\System\IGEYzML.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\YomLwxL.exe
  C:\Windows\System\YomLwxL.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\XjDaLuh.exe
  C:\Windows\System\XjDaLuh.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\xXWqBeT.exe
  C:\Windows\System\xXWqBeT.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\wSySNkW.exe
  C:\Windows\System\wSySNkW.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\TOaUdYH.exe
  C:\Windows\System\TOaUdYH.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\uKqhtqc.exe
  C:\Windows\System\uKqhtqc.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\QuBgQci.exe
  C:\Windows\System\QuBgQci.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\AfatFUB.exe
  C:\Windows\System\AfatFUB.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\TfkYtIc.exe
  C:\Windows\System\TfkYtIc.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System\mtWPYiL.exe
  C:\Windows\System\mtWPYiL.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\pfGbSch.exe
  C:\Windows\System\pfGbSch.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System\ucGkIpP.exe
  C:\Windows\System\ucGkIpP.exe
  2⤵
  - Executes dropped EXE
  PID:1028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AfatFUB.exe

Filesize
5.9MB

MD5
1d88d7597e8d78abc45ddf38dc34cd16

SHA1
71573bef0b6ec336cf62831e9082bc72c61b7e26

SHA256
39055743945f36119475037a425cf128831a92f27bf3f71e10384fcb9735a5e3

SHA512
9bd77f03708cfcbd3dffb7e3461d30840abea0d3c104ccbe83b69333089a9b8637734e398d47a39684243fc9f256af1f08420d4e3cfaa394ca6f113b2bef8018

Download Submit
C:\Windows\system\AqMbrjJ.exe

Filesize
5.9MB

MD5
ffc7c4e58fffad2c43bd5b768e8923b9

SHA1
feb27881790d63c012dcf8801bd44deaf1f0e424

SHA256
aadc70af4ebfd2bae91e7345e6592fcd4c3462c4f2632359eaae595c7e6fe5de

SHA512
14e13140fc4f04442e4e271893e21a2f9be5322cf0057c92651276b9d9007df89d90a03952a7a528285b832c6038475836499101f69550ff61bb97d33c8bd3be

Download Submit
C:\Windows\system\FFbOvDC.exe

Filesize
5.9MB

MD5
d98a3daeb48496b919d51e29af085e96

SHA1
096224bb6c6f7599032e9cbbcd4098086eb18dae

SHA256
7f412a7a036fffc995d720aef1f34fd6df55ccc8f281f72aaafead9a8627ee11

SHA512
afff6607fdfd6b27c8c75b52a498f0528bef061ba67ee24ca394140e0d6bef435b68d0bb1508a3f216b907fb5983933bab520ae62fcc57de3974476dd6045185

Download Submit
C:\Windows\system\IGEYzML.exe

Filesize
5.9MB

MD5
b8aec6ce8bef6f1bf46d5f401dd96502

SHA1
71972fd623e7b26c90cc87fdeca5ddd0eefaea0d

SHA256
b085ba17bf23651615f873ac287b3f290931a7b6d3a0f81ad5c5ad7eba9b3f20

SHA512
c7e1c9d1f3d205b4ec3bdc4859fea1e4dba9158f89f927ae1e152586fc09daa15dd21f5eddec1e04b748b1fbd84991c7ed811cdd1c7803484a6e7aed9281a157

Download Submit
C:\Windows\system\QuBgQci.exe

Filesize
5.9MB

MD5
d593f0729acd3a15b43bc5bc2f5af1bf

SHA1
a48313fa54a1979e39b4014968b8fdc90d53bda6

SHA256
b266fd9429cad1a4fcf637886b9e26cf1b7be37e704b9a82aa59a11f9493f9f5

SHA512
85e59773fea5ad0f063a49a667f32ceb81b38c5763e7f9f630edf37da8dd5f4077940c86bd0a24162e0c17e3bd1383c7709317356a9ceb7aaf5a0cf9fb7fa7cc

Download Submit
C:\Windows\system\TOaUdYH.exe

Filesize
5.9MB

MD5
34b07fa20281d52d6fc0d05c80351658

SHA1
a3de03b91f53cca75e899c15db0adce09ad5c595

SHA256
b09ecc04fcac204e538d5e97c0279f967954d8c1878b01e9d97744073a1e9d7a

SHA512
16cbfcc96878ad57e91f029ef77dfbdb64f6e51c412cec1ea365806212def4f8c24ec3dbf4ced614110dcdd1410a1f5c26e1f2752df0e5778486cc554e39a12b

Download Submit
C:\Windows\system\TfkYtIc.exe

Filesize
5.9MB

MD5
11d439845e109cf641a19126dc5094ea

SHA1
3db53c6a0c53bdd4e8efef433224cef2bd5ee2bb

SHA256
9f43bfb0096fd231d804a4d847f2a40266aa92608ffaa9be20783eff4f86a7cc

SHA512
bee5d85d90d4dad2935d94196e836a3fd5cf5c62d4051b57ca481ab63c677363956ba9195dbea0b15df99a426d281541b5bb6cc25ddfcc9e48dab0435b0d1b5c

Download Submit
C:\Windows\system\WhGWudf.exe

Filesize
5.9MB

MD5
8498ee1b6ee12f10232632536fa753db

SHA1
d90926f194a58512ee4c976667ee0a8f0d65a44d

SHA256
0ae6ce4b01c0764c9a7823cdfb98a01e08c07590246a88718799b33fb156aa71

SHA512
e7f40b6ef2c76dcb7e4c5ca1508aecf4fc65bba42d0ab56fabd6db2dce0b7cff10918d8ed51117c067a1c49e50d772d0079bbbb73a7ccd7199affa8983637b19

Download Submit
C:\Windows\system\XjDaLuh.exe

Filesize
5.9MB

MD5
8c5f40fd418147d5e4801abade9c29e5

SHA1
5f4ba6baacd92651eb699d43963b44bd3b9333f8

SHA256
74d3c9b73ec5462a586197e0960b129bcec3898892cfa182c96e2925395a0c42

SHA512
1bdb6cf29926fa768719a09e0df3513e2f3701f86a853e2d065cc79ba9097ff767551f20b1c65df435d47115fdd180d4ec455a924b6665501e7f75cf9717264e

Download Submit
C:\Windows\system\YomLwxL.exe

Filesize
5.9MB

MD5
b9538fe2d62e0b89d86042f02043c7d2

SHA1
78ce24ab2c07f0aa4ef998ad5a3b60869ff2e830

SHA256
fb2c2246133141aabc32eb3e9875835937d04de07731b16d19c404a2d575b734

SHA512
52a927abee4add13fd5d98da83417ee75fa0e8a1f038bd7ab1a2efee285202c9de739540d16c5789a931f8c8dbfc854c978fd23edf9cd9a1822c8c6d2b524a29

Download Submit
C:\Windows\system\bbwAnUt.exe

Filesize
5.9MB

MD5
580d42662d83cb47bbf0422d520cb549

SHA1
50b2de892977b746d4891d72bd662098086a48b8

SHA256
8224688473460a38319cb6a6a435235554a7f3ccd2cbee50c26ff1a53efe59b1

SHA512
a739e6b75fd641fb2d6e3517ccfa81dff702bfa8da7224df0cd4d190ba8a7ed575d836ad3a0db20bda3493440428466a0cfdef40040d03b92fbd1811c3c610be

Download Submit
C:\Windows\system\dQGqheX.exe

Filesize
5.9MB

MD5
e7153ec58572077a5d316617303d660d

SHA1
8c31e714514c1161ba151a3a477514cd9b58de54

SHA256
57c313cb108e709f3a581e4cd98c74df5cb7fe23911c61a660194ab9b837af23

SHA512
e0f9d135cd373c9849b99f3c89307d289b5b1875402669ec76a1bd96c7994aec807bb0092b209760da56e455943f6511efd4d1a5370605f3bc8187034b520f4c

Download Submit
C:\Windows\system\horHyaN.exe

Filesize
5.9MB

MD5
3fb68cbf3991ae0a78be099369f08e14

SHA1
2c15e0fc189e6a25e03e81f3489936bbcebdefaa

SHA256
842e0fff909acafeb196091a0a14b58ab8c6e8cea60cfff69cf5b522dacbf0fa

SHA512
1b4bbc93fea2bcf7d10a60980ad58975e71b03fad3abb6b6627b54e8ef866f7948af8801af2bcc07ec5bdeebb0c1ec5721407ef7c19d545eab2a0c5ea117ad49

Download Submit
C:\Windows\system\mtWPYiL.exe

Filesize
5.9MB

MD5
ff02e04077d001dc0ef402ecf7ee63d6

SHA1
e69f201cd9e04d5cb5dd9462e78172195d1dc624

SHA256
6837e8f670f9f164b981a86a5cb504c3979bf258c86964b2c6640aa039903a3e

SHA512
3210b5b2ffae257992c0609ee907edce81ec7f65b611f6c700e653e63be36b79621bd913f503c9e16f6287c177658968d6ec14dff99e73653312390d9dfaee0c

Download Submit
C:\Windows\system\pfGbSch.exe

Filesize
5.9MB

MD5
5d018db67b2f8d28142ae467ef881118

SHA1
bb07ddeaa43e4243f216d853e6b1e28c63234c0e

SHA256
14dd9d3628637d89f6e22203141a7ee00b8cf7b9255e226b55bc437decd79eea

SHA512
b800c36e6796db01f8e1e5544d1d28406927c2fae1d526f82015bb27c5dd0fe72a7a2a065b24f5f5e624548c041b07e1a78d662499c2852ad98b312a35d463d8

Download Submit
C:\Windows\system\tQeOigA.exe

Filesize
5.9MB

MD5
b5e4924b47d1c1410b27cfd0b9e8ffbe

SHA1
2afaa50575197b1f606b034f3ffbc29d13e2d850

SHA256
c711c72c7e025f27c8b37f53ff759b7bfabbc575a51ef74e118496216199365f

SHA512
bc1b3b02ed634207d6a206b9ebbeb4527407a6f2b384d537526d3f881d87b6266a32da011a72470b5f1cec2bd0fbc0e163f5e3d812b5aea11299a11f4b3e7418

Download Submit
C:\Windows\system\uKqhtqc.exe

Filesize
5.9MB

MD5
c91578a985ec0170c08d38bc6c7a6cfe

SHA1
1daab61f84c28f0b464539d5400a5617e560a0bb

SHA256
74b5190867d9bbffd0ba078369fc2d5112f6a48ba2c19efa0c4871e2f3a840f6

SHA512
6b64b02bc297818c6fa363a81336918a536f5bdce91af36a1b5acad1b66916caf77034c4b552566e8d21d44537c9d318172d999409b285d14a0ecee62d146529

Download Submit
C:\Windows\system\wSySNkW.exe

Filesize
5.9MB

MD5
6253d11673d8d0f610a1335b9ffb2acf

SHA1
69262ef084dc534bd9b0e409f9a151dffa11e81a

SHA256
7f8c9f46d24d13c6ebfff745a776bb5ce73ba53f705bbb9cee18cd970f43760b

SHA512
fed4b9d5fcfa011e94b573af2360c854457de2ca2e4ee504cec449fd08349c78b9d98a489817fc6cd20223f048e23de4e269e867f049b8db2fd8b914f51f15ca

Download Submit
C:\Windows\system\xXWqBeT.exe

Filesize
5.9MB

MD5
980774154c0b52f8f01e22c464e10bbe

SHA1
6dd196793ab0a1a637666e583393e299051017d6

SHA256
d9ee4c9321f50356ad8616ce95c4fb6953026a0259706b9213a6252e8deeba77

SHA512
448fd1adecc55a1f388166a3d6201b79f164e35d833a23ac3a1e8d435c581e4611b792aa98a6e07228ddfe2f464e62c91f96213dda3b6b51a390cf7f697aa3d1

Download Submit
\Windows\system\HeOYSCH.exe

Filesize
5.9MB

MD5
cce0c23871c751501fdc772034ec767d

SHA1
350dc960c8570d5af0300e4c2ca5c453eb88532c

SHA256
01bec9a5f4ad001574befd50cf99b534c66d0f913975bde2fc0d4a40d836edb8

SHA512
a90e50c31dbdb8808663163a180afd372a1ccb49fc7147de42ef6574d311656c7157c4ca4cbd8260fc0602e44931e4c7aef7f9df5d97a8297f36988265abd7a9

Download Submit
\Windows\system\ucGkIpP.exe

Filesize
5.9MB

MD5
4a2387bd5a8e89b56f0d44ab233e7e04

SHA1
8f3fb3c275d2338aec797fd8efe472b483ac56ab

SHA256
e09202d9c96986ebe932d6d244e4cdc65effd0f8f5c1a1ccd9ba146380fdbd34

SHA512
d12f27fea001e54706df3b6055ea56740117563c0241a849c32cd1500d6c263405f49704bd16d92a8a16bc87b2c1a64a250207399b71e835889fbbc00446ae60

Download Submit
memory/1724-123-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/1724-147-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2096-117-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2096-146-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2264-132-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2264-1-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/2264-89-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/2264-118-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-111-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2264-113-0x0000000002330000-0x0000000002684000-memory.dmp

Filesize
3.3MB

Download
memory/2264-116-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2264-124-0x000000013F3E0000-0x000000013F734000-memory.dmp

Filesize
3.3MB

Download
memory/2264-126-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2264-128-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2264-122-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-9-0x0000000002330000-0x0000000002684000-memory.dmp

Filesize
3.3MB

Download
memory/2264-88-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-0-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2424-125-0x000000013F3E0000-0x000000013F734000-memory.dmp

Filesize
3.3MB

Download
memory/2424-143-0x000000013F3E0000-0x000000013F734000-memory.dmp

Filesize
3.3MB

Download
memory/2432-120-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/2432-142-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/2480-127-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2480-145-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2516-136-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/2516-133-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/2516-95-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/2560-114-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/2560-138-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/2580-141-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-121-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2628-112-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2628-137-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2648-139-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-115-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2680-144-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2680-119-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2740-134-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/2740-130-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/2884-129-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2884-140-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2984-135-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/2984-131-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download