cobaltstrike | 49478df49e6ad4944cc4533c57126f11b0c1896ab88f4b392a71093144ea5055

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

59681e401cfb14358033737e53bf3a8d
SHA1

deafac6511fa3ff18c41c81a29dea8306e60e3e0
SHA256

49478df49e6ad4944cc4533c57126f11b0c1896ab88f4b392a71093144ea5055
SHA512

8efc8b68ab3343346890af86f5359bfecfb173cf31d83693b7efa8ee359a140c58c8092a7bd83c0dd24352aea53fb557030d5093db2a191deffe62531d8307eb
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU4:Q+856utgpPF8u/74

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000014e3d-6.dat	cobalt_reflective_dll
behavioral1/files/0x002e000000015364-11.dat	cobalt_reflective_dll
behavioral1/files/0x002c0000000155d4-12.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015a2d-21.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015a98-22.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015c0d-26.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001704f-124.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018ae2-92.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018ae8-90.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018698-82.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186a0-81.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d55-76.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001868c-72.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015c2f-65.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d84-56.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d89-53.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015c3c-48.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b15-96.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017090-69.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016e56-62.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015c23-33.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014e3d-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002e000000015364-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002c0000000155d4-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015a2d-21.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015a98-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015c0d-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001704f-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018ae2-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018ae8-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0005000000018698-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00050000000186a0-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d55-76.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000500000001868c-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015c2f-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d84-56.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d89-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015c3c-48.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b15-96.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000017090-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016e56-62.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015c23-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 49 IoCs

resource	yara_rule
behavioral1/memory/1704-0-0x000000013F740000-0x000000013FA94000-memory.dmp	UPX
behavioral1/files/0x000b000000014e3d-6.dat	UPX
behavioral1/files/0x002e000000015364-11.dat	UPX
behavioral1/files/0x002c0000000155d4-12.dat	UPX
behavioral1/files/0x0008000000015a2d-21.dat	UPX
behavioral1/files/0x0007000000015a98-22.dat	UPX
behavioral1/files/0x0007000000015c0d-26.dat	UPX
behavioral1/memory/2032-121-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	UPX
behavioral1/files/0x000600000001704f-124.dat	UPX
behavioral1/files/0x0006000000018ae2-92.dat	UPX
behavioral1/files/0x0006000000018ae8-90.dat	UPX
behavioral1/files/0x0005000000018698-82.dat	UPX
behavioral1/files/0x00050000000186a0-81.dat	UPX
behavioral1/files/0x0006000000016d55-76.dat	UPX
behavioral1/files/0x000500000001868c-72.dat	UPX
behavioral1/files/0x0009000000015c2f-65.dat	UPX
behavioral1/memory/2944-123-0x000000013F110000-0x000000013F464000-memory.dmp	UPX
behavioral1/memory/2532-122-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d84-56.dat	UPX
behavioral1/files/0x0006000000016d89-53.dat	UPX
behavioral1/files/0x0009000000015c3c-48.dat	UPX
behavioral1/memory/2500-120-0x000000013FB90000-0x000000013FEE4000-memory.dmp	UPX
behavioral1/memory/1600-118-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX
behavioral1/memory/2696-116-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	UPX
behavioral1/memory/1172-114-0x000000013F9C0000-0x000000013FD14000-memory.dmp	UPX
behavioral1/memory/2440-109-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/memory/2724-106-0x000000013F2D0000-0x000000013F624000-memory.dmp	UPX
behavioral1/memory/2556-104-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2620-101-0x000000013F700000-0x000000013FA54000-memory.dmp	UPX
behavioral1/memory/2632-99-0x000000013F800000-0x000000013FB54000-memory.dmp	UPX
behavioral1/memory/2264-61-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
behavioral1/files/0x0006000000018b15-96.dat	UPX
behavioral1/files/0x0006000000017090-69.dat	UPX
behavioral1/files/0x0006000000016e56-62.dat	UPX
behavioral1/files/0x0007000000015c23-33.dat	UPX
behavioral1/memory/1704-134-0x000000013F740000-0x000000013FA94000-memory.dmp	UPX
behavioral1/memory/2032-136-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	UPX
behavioral1/memory/2632-137-0x000000013F800000-0x000000013FB54000-memory.dmp	UPX
behavioral1/memory/2264-138-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
behavioral1/memory/2532-139-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/memory/2724-141-0x000000013F2D0000-0x000000013F624000-memory.dmp	UPX
behavioral1/memory/2556-140-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2620-142-0x000000013F700000-0x000000013FA54000-memory.dmp	UPX
behavioral1/memory/2440-143-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/memory/2944-144-0x000000013F110000-0x000000013F464000-memory.dmp	UPX
behavioral1/memory/1600-146-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX
behavioral1/memory/1172-145-0x000000013F9C0000-0x000000013FD14000-memory.dmp	UPX
behavioral1/memory/2696-147-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	UPX
behavioral1/memory/2500-148-0x000000013FB90000-0x000000013FEE4000-memory.dmp	UPX

XMRig Miner payload 53 IoCs

miner

resource	yara_rule
behavioral1/memory/1704-0-0x000000013F740000-0x000000013FA94000-memory.dmp	xmrig
behavioral1/files/0x000b000000014e3d-6.dat	xmrig
behavioral1/files/0x002e000000015364-11.dat	xmrig
behavioral1/files/0x002c0000000155d4-12.dat	xmrig
behavioral1/files/0x0008000000015a2d-21.dat	xmrig
behavioral1/files/0x0007000000015a98-22.dat	xmrig
behavioral1/files/0x0007000000015c0d-26.dat	xmrig
behavioral1/memory/2032-121-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	xmrig
behavioral1/files/0x000600000001704f-124.dat	xmrig
behavioral1/files/0x0006000000018ae2-92.dat	xmrig
behavioral1/files/0x0006000000018ae8-90.dat	xmrig
behavioral1/files/0x0005000000018698-82.dat	xmrig
behavioral1/files/0x00050000000186a0-81.dat	xmrig
behavioral1/files/0x0006000000016d55-76.dat	xmrig
behavioral1/files/0x000500000001868c-72.dat	xmrig
behavioral1/files/0x0009000000015c2f-65.dat	xmrig
behavioral1/memory/2944-123-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/memory/2532-122-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d84-56.dat	xmrig
behavioral1/files/0x0006000000016d89-53.dat	xmrig
behavioral1/files/0x0009000000015c3c-48.dat	xmrig
behavioral1/memory/2500-120-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/1600-118-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
behavioral1/memory/1704-117-0x00000000023A0000-0x00000000026F4000-memory.dmp	xmrig
behavioral1/memory/2696-116-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/memory/1172-114-0x000000013F9C0000-0x000000013FD14000-memory.dmp	xmrig
behavioral1/memory/1704-111-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/memory/2440-109-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2724-106-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/memory/1704-105-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/memory/2556-104-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/1704-102-0x00000000023A0000-0x00000000026F4000-memory.dmp	xmrig
behavioral1/memory/2620-101-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2632-99-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/2264-61-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
behavioral1/files/0x0006000000018b15-96.dat	xmrig
behavioral1/files/0x0006000000017090-69.dat	xmrig
behavioral1/files/0x0006000000016e56-62.dat	xmrig
behavioral1/files/0x0007000000015c23-33.dat	xmrig
behavioral1/memory/1704-134-0x000000013F740000-0x000000013FA94000-memory.dmp	xmrig
behavioral1/memory/2032-136-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	xmrig
behavioral1/memory/2632-137-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/2264-138-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
behavioral1/memory/2532-139-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2724-141-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/memory/2556-140-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2620-142-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2440-143-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2944-144-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/memory/1600-146-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
behavioral1/memory/1172-145-0x000000013F9C0000-0x000000013FD14000-memory.dmp	xmrig
behavioral1/memory/2696-147-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/memory/2500-148-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2032	koCsriB.exe
2264	AHsKSUt.exe
2632	chamMZB.exe
2620	EGpxilP.exe
2532	VgdJEkC.exe
2556	NnOtfsX.exe
2724	YuyHMgY.exe
2440	HdYjcyB.exe
2944	kgPHVth.exe
1172	iQAUiwL.exe
2696	ikUQpTr.exe
1600	BtBWZqN.exe
2500	oQKMFlz.exe
1020	hfCfYnQ.exe
2804	IJvWyat.exe
3028	kHecwDA.exe
2932	EWkzcoT.exe
1608	oraufvN.exe
1956	dmCsCzg.exe
2772	ykfyzSF.exe
1652	DyPSEeQ.exe

Loads dropped DLL 21 IoCs

pid	Process
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe

UPX packed file 49 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1704-0-0x000000013F740000-0x000000013FA94000-memory.dmp	upx
behavioral1/files/0x000b000000014e3d-6.dat	upx
behavioral1/files/0x002e000000015364-11.dat	upx
behavioral1/files/0x002c0000000155d4-12.dat	upx
behavioral1/files/0x0008000000015a2d-21.dat	upx
behavioral1/files/0x0007000000015a98-22.dat	upx
behavioral1/files/0x0007000000015c0d-26.dat	upx
behavioral1/memory/2032-121-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	upx
behavioral1/files/0x000600000001704f-124.dat	upx
behavioral1/files/0x0006000000018ae2-92.dat	upx
behavioral1/files/0x0006000000018ae8-90.dat	upx
behavioral1/files/0x0005000000018698-82.dat	upx
behavioral1/files/0x00050000000186a0-81.dat	upx
behavioral1/files/0x0006000000016d55-76.dat	upx
behavioral1/files/0x000500000001868c-72.dat	upx
behavioral1/files/0x0009000000015c2f-65.dat	upx
behavioral1/memory/2944-123-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/memory/2532-122-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/files/0x0006000000016d84-56.dat	upx
behavioral1/files/0x0006000000016d89-53.dat	upx
behavioral1/files/0x0009000000015c3c-48.dat	upx
behavioral1/memory/2500-120-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/memory/1600-118-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
behavioral1/memory/2696-116-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
behavioral1/memory/1172-114-0x000000013F9C0000-0x000000013FD14000-memory.dmp	upx
behavioral1/memory/2440-109-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/2724-106-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/memory/2556-104-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2620-101-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/2632-99-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/memory/2264-61-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
behavioral1/files/0x0006000000018b15-96.dat	upx
behavioral1/files/0x0006000000017090-69.dat	upx
behavioral1/files/0x0006000000016e56-62.dat	upx
behavioral1/files/0x0007000000015c23-33.dat	upx
behavioral1/memory/1704-134-0x000000013F740000-0x000000013FA94000-memory.dmp	upx
behavioral1/memory/2032-136-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	upx
behavioral1/memory/2632-137-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/memory/2264-138-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
behavioral1/memory/2532-139-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2724-141-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/memory/2556-140-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2620-142-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/2440-143-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/2944-144-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/memory/1600-146-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
behavioral1/memory/1172-145-0x000000013F9C0000-0x000000013FD14000-memory.dmp	upx
behavioral1/memory/2696-147-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
behavioral1/memory/2500-148-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\oraufvN.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IJvWyat.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kHecwDA.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AHsKSUt.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YuyHMgY.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iQAUiwL.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ykfyzSF.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DyPSEeQ.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EGpxilP.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oQKMFlz.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kgPHVth.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HdYjcyB.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EWkzcoT.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BtBWZqN.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dmCsCzg.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VgdJEkC.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NnOtfsX.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ikUQpTr.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\koCsriB.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\chamMZB.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hfCfYnQ.exe	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2032	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	29
PID 1704 wrote to memory of 2032	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	29
PID 1704 wrote to memory of 2032	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	29
PID 1704 wrote to memory of 2264	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	30
PID 1704 wrote to memory of 2264	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	30
PID 1704 wrote to memory of 2264	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	30
PID 1704 wrote to memory of 2632	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	31
PID 1704 wrote to memory of 2632	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	31
PID 1704 wrote to memory of 2632	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	31
PID 1704 wrote to memory of 2620	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	32
PID 1704 wrote to memory of 2620	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	32
PID 1704 wrote to memory of 2620	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	32
PID 1704 wrote to memory of 2532	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	33
PID 1704 wrote to memory of 2532	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	33
PID 1704 wrote to memory of 2532	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	33
PID 1704 wrote to memory of 2556	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	34
PID 1704 wrote to memory of 2556	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	34
PID 1704 wrote to memory of 2556	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	34
PID 1704 wrote to memory of 2724	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	35
PID 1704 wrote to memory of 2724	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	35
PID 1704 wrote to memory of 2724	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	35
PID 1704 wrote to memory of 2696	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	36
PID 1704 wrote to memory of 2696	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	36
PID 1704 wrote to memory of 2696	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	36
PID 1704 wrote to memory of 2440	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	37
PID 1704 wrote to memory of 2440	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	37
PID 1704 wrote to memory of 2440	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	37
PID 1704 wrote to memory of 2500	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	38
PID 1704 wrote to memory of 2500	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	38
PID 1704 wrote to memory of 2500	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	38
PID 1704 wrote to memory of 2944	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	39
PID 1704 wrote to memory of 2944	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	39
PID 1704 wrote to memory of 2944	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	39
PID 1704 wrote to memory of 2932	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	40
PID 1704 wrote to memory of 2932	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	40
PID 1704 wrote to memory of 2932	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	40
PID 1704 wrote to memory of 1172	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	41
PID 1704 wrote to memory of 1172	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	41
PID 1704 wrote to memory of 1172	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	41
PID 1704 wrote to memory of 1608	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	42
PID 1704 wrote to memory of 1608	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	42
PID 1704 wrote to memory of 1608	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	42
PID 1704 wrote to memory of 1600	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	43
PID 1704 wrote to memory of 1600	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	43
PID 1704 wrote to memory of 1600	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	43
PID 1704 wrote to memory of 1956	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	44
PID 1704 wrote to memory of 1956	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	44
PID 1704 wrote to memory of 1956	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	44
PID 1704 wrote to memory of 1020	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	45
PID 1704 wrote to memory of 1020	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	45
PID 1704 wrote to memory of 1020	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	45
PID 1704 wrote to memory of 2772	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	46
PID 1704 wrote to memory of 2772	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	46
PID 1704 wrote to memory of 2772	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	46
PID 1704 wrote to memory of 2804	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	47
PID 1704 wrote to memory of 2804	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	47
PID 1704 wrote to memory of 2804	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	47
PID 1704 wrote to memory of 1652	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	48
PID 1704 wrote to memory of 1652	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	48
PID 1704 wrote to memory of 1652	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	48
PID 1704 wrote to memory of 3028	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	49
PID 1704 wrote to memory of 3028	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	49
PID 1704 wrote to memory of 3028	1704	2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_59681e401cfb14358033737e53bf3a8d_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\System\koCsriB.exe
  C:\Windows\System\koCsriB.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\AHsKSUt.exe
  C:\Windows\System\AHsKSUt.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\chamMZB.exe
  C:\Windows\System\chamMZB.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\EGpxilP.exe
  C:\Windows\System\EGpxilP.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\VgdJEkC.exe
  C:\Windows\System\VgdJEkC.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\NnOtfsX.exe
  C:\Windows\System\NnOtfsX.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\YuyHMgY.exe
  C:\Windows\System\YuyHMgY.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\ikUQpTr.exe
  C:\Windows\System\ikUQpTr.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\HdYjcyB.exe
  C:\Windows\System\HdYjcyB.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\oQKMFlz.exe
  C:\Windows\System\oQKMFlz.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\kgPHVth.exe
  C:\Windows\System\kgPHVth.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\EWkzcoT.exe
  C:\Windows\System\EWkzcoT.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\iQAUiwL.exe
  C:\Windows\System\iQAUiwL.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\oraufvN.exe
  C:\Windows\System\oraufvN.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\BtBWZqN.exe
  C:\Windows\System\BtBWZqN.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\dmCsCzg.exe
  C:\Windows\System\dmCsCzg.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\hfCfYnQ.exe
  C:\Windows\System\hfCfYnQ.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System\ykfyzSF.exe
  C:\Windows\System\ykfyzSF.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\IJvWyat.exe
  C:\Windows\System\IJvWyat.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\DyPSEeQ.exe
  C:\Windows\System\DyPSEeQ.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\kHecwDA.exe
  C:\Windows\System\kHecwDA.exe
  2⤵
  - Executes dropped EXE
  PID:3028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AHsKSUt.exe

Filesize
5.9MB

MD5
a138872c06fb18158e3d4b9b7f903a6a

SHA1
4efc56722d5cc5506dc132f0bf55e32e2eb3ed06

SHA256
bfa09e77fa4c01acf020fcf0911ab6d619a0f101fcd602a2b09ba2f050ca9ec9

SHA512
6e3cd01abb056c041daa2e009b03f6c5b20c3f98ff4301211c52429ed794c8ac7eb4d6776503e18c0f27c7ec0b1036d5c5ea687edbcb408b99cc2f36384ff989

Download Submit
C:\Windows\system\BtBWZqN.exe

Filesize
5.9MB

MD5
466f21aca6ac4420f365409a5d38c693

SHA1
d3ab115feaa242fe32eab24411500675a386ad37

SHA256
075b9027c703d9821bda953226a99e238ef1ff2b1b7c36f4cd174ef4bd6fa481

SHA512
389bf5c6ca8d969d0dd3f0d345a173576c619900e418d1a620f9fca4af3d9ad00c35839fc6223c4624285057f3cdda689aa4505dce6a010fc457ff62ebeb119e

Download Submit
C:\Windows\system\EGpxilP.exe

Filesize
5.9MB

MD5
744b490420f706bfc88a72fcd72c9c94

SHA1
023f8eb34e5f4db517836b680134bb564c155976

SHA256
3e6a291e1112714a2e97a673ce7c51f44088dc31b67f6643168c38dcd1dfbcd8

SHA512
5a44003e0b0a0e6a400b89c8d8efeada01e24f54fa7d0cc2c7304fd3235e9a0e521e5ebeebc18cc02e9ee6dc3612867cb3e144338dafbd26dd3e158445ee36e1

Download Submit
C:\Windows\system\HdYjcyB.exe

Filesize
5.9MB

MD5
e260d4eccad4c73c2629c64422512e2a

SHA1
ab8a7f44b9f61f0e91eb1def1a6d0932328bb28a

SHA256
ceabea035f750a083b82b31c16c80feb9e12e391477c578a1d98e3df10c9211c

SHA512
b4a7917601532f500c41fecbea1451544f7e5e09575a9810df4e677bfa29d2a57fe104618b6edc5fb17f2dc56b44e55d7f79e6961755beaa6620d288a527d136

Download Submit
C:\Windows\system\IJvWyat.exe

Filesize
5.9MB

MD5
63784b8569d0c4eb8c9ba01c34678c32

SHA1
203bc9034acb0e6df94d68058a841a035b5d528f

SHA256
f2ead711ad06590e8fb3a19818dc323aeeec303d6c0f00f3c94327012d3402bd

SHA512
bf0c936e5b2e609fe3437da74ed02eaf766765dbc98e03da3a47ca92f83d6335ac79374b305e200ea200801e08e7273771131585fb2c2fbfd624d9399890ac44

Download Submit
C:\Windows\system\YuyHMgY.exe

Filesize
5.9MB

MD5
b83c2a61ebf6c911971c00460a4de70c

SHA1
252ecb69560408d9242850ea6db28e93b367786d

SHA256
8618ae2525ab52eec44bfc597562b4e107d2d41748c94b8b9e695866a040e57f

SHA512
4a959b0729f5de4ecdf309e895b38a047a037c95ab20867403e0d854e88516266c9d4b368fbebdfc159898e42ee715a20b5843f636aa3284e01a4bbf82829a27

Download Submit
C:\Windows\system\hfCfYnQ.exe

Filesize
5.9MB

MD5
bc5bdfc8816f6fc9474c46d2ff5bfc4e

SHA1
3986062a79c7577716dcac2665a3a53d81d9858a

SHA256
c723faaef4d26354410cf221baaa4b38c45bbe451990186d6f1157e387f9b3c1

SHA512
e6a38c15a904d688172825efece0372f5aaf20d4ff948de2b71df7648757b0f09e59b2bf6b6efd1c27a9ec4bfc64cdc733d9bea2ae3e16f72a1aa34c338512bb

Download Submit
C:\Windows\system\iQAUiwL.exe

Filesize
5.9MB

MD5
a8989f4cc3edfa24f8a013f56c50f3ac

SHA1
f66570238c641061402a7489ec95c50240d635ea

SHA256
41ec121a79966cd53f764a4cafd2cc8cdcd6ef9a091995f9f302bca61566dd67

SHA512
75eb4cf13d2829717f418ab8637f6eaeacc45bb013e864991c0df6429fb24e38015e2f9cc50cea9bf43b33b74e0a2c0f4eabcb1c294098a1b2a7c8f46c748f19

Download Submit
C:\Windows\system\ikUQpTr.exe

Filesize
5.9MB

MD5
cdd417b69dc9f02981fabeb2d180ebd5

SHA1
df3c48768cc2a6d161f703814dfdd7decb18750f

SHA256
41c5e0dd4268bd14271500886ed2e8992612ac14f09d59959cfe072ba75d01c8

SHA512
c6ecd5d60a63bad05f9d1652b1fa7194093a8834fc29d1a98cb275395dcf821c66d6e412b983b3fb18d681b520b0bf3f6b170cf12a66f87f923c86bf05ffb584

Download Submit
C:\Windows\system\kHecwDA.exe

Filesize
5.9MB

MD5
5531b13e2291e16c76e35cdbb2c3f389

SHA1
b0675199447ded90f7455bb26f5e17b2ca3975f3

SHA256
7c658447157153e130eb1b4b0d5dcf20044366ca93737ffbdedc0433a28da313

SHA512
9f7781853778dc563db9163c013088bce426f3cebfce9fa492d1e00de734c1f61bb6e191fc56fcb0437c8d2995a50d03ed183b4f30d6a34cf9fed49d003ad6c1

Download Submit
C:\Windows\system\kgPHVth.exe

Filesize
5.9MB

MD5
11a104f3537776808c0c4873d2dd7fec

SHA1
f56a1f76a171c3083c4eadff15c72790d7a2e90f

SHA256
afadb37663b11238b195c808b857078f66915ab1015ec1d65bed4c8d560d9d85

SHA512
1d8443858a4fd5b64e227ad66bcef1118a1f938e4792a62a1b30441df1cf35d4e912b3638ff8c32020cb5f45c497de9db7ad394efa4758b73dd67a7a783b9be6

Download Submit
C:\Windows\system\koCsriB.exe

Filesize
5.9MB

MD5
13cd0ef3df0204611e091bc3c51f15a7

SHA1
c128c1b801bf66e3196dbdf67faa6093dbaf89ee

SHA256
4f2f7a5cad111b0e4daf04330d04bddb3efa13e49ca0329a199ad3e0b1ca62e3

SHA512
ec9ec72db8058ce3d5ea396ae9bc4474372cff1cc0ac1ed525b41ce7e8a9603d19747b2fb757a552b7fe27919a5be3784ab016953f4a15e7d43f5fb88c725451

Download Submit
C:\Windows\system\oQKMFlz.exe

Filesize
5.9MB

MD5
537cd84cc64d38ad2eee9f0cb185cbc0

SHA1
555d507ab6b0bb51eb157faff71e572450d556ee

SHA256
60226d804d22363e912953e125b70b124bc6bb35e9190a672a6fe5a2ba688b99

SHA512
964656bf30cc21f6d3a6ef381ec53ad24d14cd9bea9b042ce31772d1cb39b22c5bee15f2f053fa7d59b7eddcdf3ae582df27ba64192e873295a34c930bcb8ea1

Download Submit
C:\Windows\system\oraufvN.exe

Filesize
5.9MB

MD5
7ab3bb9e2cd7c44d4b02ac101f870e8f

SHA1
510653d16fd22e673e2602d14f98a2f2ff9cfcb3

SHA256
79de274749348b3b9b4f777d30cd32a7b6f9b353be6624e8661fead1c621070f

SHA512
629a3932e7882b180116a9c1d4cefdfecef7b31fc5c802aadbd29e73a8d81d31b67b742e39003507fc9bdcc686ce49a2ab46f66b108c6bfa8b9ad1075cd19f5e

Download Submit
\Windows\system\DyPSEeQ.exe

Filesize
5.9MB

MD5
962616e357316c77f2fb6aae6bd98ce1

SHA1
87967f04ea7c49141ae8a280ae60df44dd22ef70

SHA256
98110adbac71eb161dc153bd651e3c9f493119958bcdebcdf596e37b2017e2b1

SHA512
8abc42c108a7ed25f569e0d3da795b800b6585807312f8097495818244fc98258df8fab02593b949a493fe527626e39514235edc92464846c989290545902ac7

Download Submit
\Windows\system\EWkzcoT.exe

Filesize
5.9MB

MD5
ff79d6c600fdf21151a0bccb94595ea1

SHA1
6841c205e518f95c9c4ec238e5a0e4fde2a4d653

SHA256
02b8a1ddc3f5fefd0320903c58ea86e1c9d4cf1c75452d2023ed7079c97f410b

SHA512
c910e463d4dc24b656eaed5218bf23d122aaaf8c460b4a478b73db245d1e6421a229ac2f5034f0da1b8d4a398a39796c667ffd9d8740b5c5c03bdfcc26e2a261

Download Submit
\Windows\system\NnOtfsX.exe

Filesize
5.9MB

MD5
2a214ecf36bc56e603281d6c76c85ad7

SHA1
5c405b5518594bee65062eb611c1b355756ea4db

SHA256
55a9e8bd876e3c8cf86e18933acb60fb03ec24ceeb08b25bb43b94f4464e315b

SHA512
619a3d44920770fa67dc24c4362f990bdceadd9c26174324aeba03c0e6701c50e6f12799ab2686883f4d6624e61220a4a71c257ed2739a62032c73248a2321bd

Download Submit
\Windows\system\VgdJEkC.exe

Filesize
5.9MB

MD5
e3d7c899e0e1e9477f08b22c271bf0a8

SHA1
96797c17bd25fc87758894eef270df50af8ef260

SHA256
e16a97890645f23f9a83b923234549285ea31e5d3715ebd3702c60b32ef0580b

SHA512
96763974b6e7fe5edcec366b21880fbf180d94d17879e3254a7d6420839ee79f0039839382db4ec9400dc4b18b50c292b98757a207414a1c9781a3da31b22ff1

Download Submit
\Windows\system\chamMZB.exe

Filesize
5.9MB

MD5
568b1f10bce99abcddaf28c5835aecb4

SHA1
20e9a1c39119b4581ecae6435b575346a50ce683

SHA256
ed1c44b293b0cb9150a2b39fd9ab290b4d393b261720e9360a7872a9ff2468ab

SHA512
d1024e6be388e19d014d4a713a359af52b9557d5712de8d07cc9d14153c3faee8f90a8cc04f89e6ae0736579b4ddc29716adb740c97123bd6600c8872161a029

Download Submit
\Windows\system\dmCsCzg.exe

Filesize
5.9MB

MD5
6cc8b4b934d8f8b742c54299f5cb15f7

SHA1
458c02f55f797a5a0106489a65a876300d3fa8f3

SHA256
1fc8cf23efbd0b13b84717a78eaeab1776a84a320c816536a1aa815d05965c82

SHA512
f00c45e24779b7071276e64d7b0629e63d6f43568ba1d29c7b252103eea0cf9715a7b0f8002b758b005d67a39e0521770a05e12904d3fb76d50de17e7e24ac88

Download Submit
\Windows\system\ykfyzSF.exe

Filesize
5.9MB

MD5
96c07f93ba82c151d517111d32b45378

SHA1
d0b54536a2d52078e04cf18cbdec5218153c2b5c

SHA256
3c9170d342ce183249d7655ab188672912a23451f076b7a4cc8ac6da2c44ab9c

SHA512
c53c4dc5c0ead7937150514b0e1d93d7b58efe45236098813eebbe6959f3235b0d7ce5fa0ebc7bf02dd99e3ac2931064309bf5cf67034a1faa53112421b9b0eb

Download Submit
memory/1172-145-0x000000013F9C0000-0x000000013FD14000-memory.dmp

Filesize
3.3MB

Download
memory/1172-114-0x000000013F9C0000-0x000000013FD14000-memory.dmp

Filesize
3.3MB

Download
memory/1600-146-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/1600-118-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/1704-103-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-107-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-115-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-119-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-113-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-112-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-111-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/1704-135-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-108-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/1704-98-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-134-0x000000013F740000-0x000000013FA94000-memory.dmp

Filesize
3.3MB

Download
memory/1704-105-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/1704-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1704-38-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-102-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-117-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-100-0x00000000023A0000-0x00000000026F4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-0-0x000000013F740000-0x000000013FA94000-memory.dmp

Filesize
3.3MB

Download
memory/2032-121-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/2032-136-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-61-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-138-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/2440-143-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2440-109-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2500-120-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2500-148-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2532-122-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2532-139-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-104-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2556-140-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2620-101-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2620-142-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2632-99-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2632-137-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2696-116-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-147-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-141-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2724-106-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2944-144-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/2944-123-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download