cobaltstrike | ec6a7e7199b886763c8cd0e06570dfd130b8a80087d2d76ed9590b3209f2b1ec

Analysis

max time kernel
134s
max time network
143s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

b1ad8f3ab7a101dbeea8736cb7eafb6c
SHA1

28893da12138d6ccb76894530f91c23d155ad896
SHA256

ec6a7e7199b886763c8cd0e06570dfd130b8a80087d2d76ed9590b3209f2b1ec
SHA512

e82f9f64d8794ffb93bb6758f3cbc0ebbfecb638c32e9a5e223fac2c6d253502f5aeb6c14ef117cacbbe492b1ca1cb03a732c0669a4ffd9e32b3761f322d956e
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUG:Q+856utgpPF8u/7G

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c000000015c4c-3.dat	cobalt_reflective_dll
behavioral1/files/0x0033000000015cb0-7.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d0c-16.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015e09-31.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c8c-42.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cf5-54.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d1f-74.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d36-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3a-86.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d32-78.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d16-70.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d0e-66.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d05-62.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cfd-58.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ce4-50.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cb2-46.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c42-38.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015e6d-34.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d44-26.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d24-23.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015ce3-15.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000c000000015c4c-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0033000000015cb0-7.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d0c-16.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015e09-31.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c8c-42.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cf5-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d1f-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d36-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d3a-86.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d32-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d16-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d0e-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d05-62.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cfd-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016ce4-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cb2-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c42-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015e6d-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d44-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d24-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015ce3-15.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 52 IoCs

resource	yara_rule
behavioral1/memory/2836-1-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
behavioral1/files/0x000c000000015c4c-3.dat	UPX
behavioral1/files/0x0033000000015cb0-7.dat	UPX
behavioral1/files/0x0007000000015d0c-16.dat	UPX
behavioral1/files/0x0009000000015e09-31.dat	UPX
behavioral1/files/0x0006000000016c8c-42.dat	UPX
behavioral1/files/0x0006000000016cf5-54.dat	UPX
behavioral1/files/0x0006000000016d1f-74.dat	UPX
behavioral1/files/0x0006000000016d36-82.dat	UPX
behavioral1/files/0x0006000000016d3a-86.dat	UPX
behavioral1/files/0x0006000000016d32-78.dat	UPX
behavioral1/files/0x0006000000016d16-70.dat	UPX
behavioral1/files/0x0006000000016d0e-66.dat	UPX
behavioral1/files/0x0006000000016d05-62.dat	UPX
behavioral1/files/0x0006000000016cfd-58.dat	UPX
behavioral1/files/0x0006000000016ce4-50.dat	UPX
behavioral1/files/0x0006000000016cb2-46.dat	UPX
behavioral1/memory/2956-111-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX
behavioral1/memory/1564-109-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	UPX
behavioral1/memory/2540-88-0x000000013F960000-0x000000013FCB4000-memory.dmp	UPX
behavioral1/memory/2484-113-0x000000013F330000-0x000000013F684000-memory.dmp	UPX
behavioral1/memory/2480-117-0x000000013F5D0000-0x000000013F924000-memory.dmp	UPX
behavioral1/memory/2768-120-0x000000013FE00000-0x0000000140154000-memory.dmp	UPX
behavioral1/memory/2460-118-0x000000013F700000-0x000000013FA54000-memory.dmp	UPX
behavioral1/memory/2556-115-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	UPX
behavioral1/files/0x0006000000016c42-38.dat	UPX
behavioral1/files/0x0008000000015e6d-34.dat	UPX
behavioral1/files/0x0007000000015d44-26.dat	UPX
behavioral1/files/0x0007000000015d24-23.dat	UPX
behavioral1/files/0x0008000000015ce3-15.dat	UPX
behavioral1/memory/2916-124-0x000000013F4D0000-0x000000013F824000-memory.dmp	UPX
behavioral1/memory/2364-122-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/2500-125-0x000000013FBF0000-0x000000013FF44000-memory.dmp	UPX
behavioral1/memory/1652-127-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX
behavioral1/memory/2344-129-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
behavioral1/memory/2112-130-0x000000013F820000-0x000000013FB74000-memory.dmp	UPX
behavioral1/memory/2836-131-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
behavioral1/memory/1564-132-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	UPX
behavioral1/memory/2540-134-0x000000013F960000-0x000000013FCB4000-memory.dmp	UPX
behavioral1/memory/2556-135-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	UPX
behavioral1/memory/2112-145-0x000000013F820000-0x000000013FB74000-memory.dmp	UPX
behavioral1/memory/1652-144-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX
behavioral1/memory/2484-143-0x000000013F330000-0x000000013F684000-memory.dmp	UPX
behavioral1/memory/2768-142-0x000000013FE00000-0x0000000140154000-memory.dmp	UPX
behavioral1/memory/1564-141-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	UPX
behavioral1/memory/2344-140-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
behavioral1/memory/2364-139-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/2500-138-0x000000013FBF0000-0x000000013FF44000-memory.dmp	UPX
behavioral1/memory/2460-137-0x000000013F700000-0x000000013FA54000-memory.dmp	UPX
behavioral1/memory/2956-136-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX
behavioral1/memory/2916-146-0x000000013F4D0000-0x000000013F824000-memory.dmp	UPX
behavioral1/memory/2480-147-0x000000013F5D0000-0x000000013F924000-memory.dmp	UPX

XMRig Miner payload 53 IoCs

miner

resource	yara_rule
behavioral1/memory/2836-1-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/files/0x000c000000015c4c-3.dat	xmrig
behavioral1/files/0x0033000000015cb0-7.dat	xmrig
behavioral1/files/0x0007000000015d0c-16.dat	xmrig
behavioral1/files/0x0009000000015e09-31.dat	xmrig
behavioral1/files/0x0006000000016c8c-42.dat	xmrig
behavioral1/files/0x0006000000016cf5-54.dat	xmrig
behavioral1/files/0x0006000000016d1f-74.dat	xmrig
behavioral1/files/0x0006000000016d36-82.dat	xmrig
behavioral1/files/0x0006000000016d3a-86.dat	xmrig
behavioral1/files/0x0006000000016d32-78.dat	xmrig
behavioral1/files/0x0006000000016d16-70.dat	xmrig
behavioral1/files/0x0006000000016d0e-66.dat	xmrig
behavioral1/files/0x0006000000016d05-62.dat	xmrig
behavioral1/files/0x0006000000016cfd-58.dat	xmrig
behavioral1/files/0x0006000000016ce4-50.dat	xmrig
behavioral1/files/0x0006000000016cb2-46.dat	xmrig
behavioral1/memory/2956-111-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
behavioral1/memory/1564-109-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/memory/2540-88-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2484-113-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
behavioral1/memory/2480-117-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/memory/2768-120-0x000000013FE00000-0x0000000140154000-memory.dmp	xmrig
behavioral1/memory/2836-121-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/2460-118-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2556-115-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016c42-38.dat	xmrig
behavioral1/files/0x0008000000015e6d-34.dat	xmrig
behavioral1/files/0x0007000000015d44-26.dat	xmrig
behavioral1/files/0x0007000000015d24-23.dat	xmrig
behavioral1/files/0x0008000000015ce3-15.dat	xmrig
behavioral1/memory/2916-124-0x000000013F4D0000-0x000000013F824000-memory.dmp	xmrig
behavioral1/memory/2364-122-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/2500-125-0x000000013FBF0000-0x000000013FF44000-memory.dmp	xmrig
behavioral1/memory/1652-127-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2344-129-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/2112-130-0x000000013F820000-0x000000013FB74000-memory.dmp	xmrig
behavioral1/memory/2836-131-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/memory/1564-132-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/memory/2540-134-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2556-135-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig
behavioral1/memory/2112-145-0x000000013F820000-0x000000013FB74000-memory.dmp	xmrig
behavioral1/memory/1652-144-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2484-143-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
behavioral1/memory/2768-142-0x000000013FE00000-0x0000000140154000-memory.dmp	xmrig
behavioral1/memory/1564-141-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/memory/2344-140-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/2364-139-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/2500-138-0x000000013FBF0000-0x000000013FF44000-memory.dmp	xmrig
behavioral1/memory/2460-137-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2956-136-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
behavioral1/memory/2916-146-0x000000013F4D0000-0x000000013F824000-memory.dmp	xmrig
behavioral1/memory/2480-147-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2540	KNOxXVc.exe
1564	wavHHHM.exe
2956	DSTgAEz.exe
2484	wfrBUgn.exe
2556	eRlnBGQ.exe
2480	EHCWPQv.exe
2460	cQnBNyW.exe
2768	pjZtzXI.exe
2364	KvNAnrg.exe
2916	bpXsRDF.exe
2500	wNVtzjX.exe
1652	uyYdzjF.exe
2344	AMdaUlN.exe
2112	rhPYTBR.exe
2848	kAmYZie.exe
1420	KQNqVmZ.exe
332	CEcfktf.exe
2652	VPKrpnB.exe
2704	nkcaEmb.exe
2716	PcNIFdT.exe
2732	kfGazVB.exe

Loads dropped DLL 21 IoCs

pid	Process
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2836-1-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/files/0x000c000000015c4c-3.dat	upx
behavioral1/files/0x0033000000015cb0-7.dat	upx
behavioral1/files/0x0007000000015d0c-16.dat	upx
behavioral1/files/0x0009000000015e09-31.dat	upx
behavioral1/files/0x0006000000016c8c-42.dat	upx
behavioral1/files/0x0006000000016cf5-54.dat	upx
behavioral1/files/0x0006000000016d1f-74.dat	upx
behavioral1/files/0x0006000000016d36-82.dat	upx
behavioral1/files/0x0006000000016d3a-86.dat	upx
behavioral1/files/0x0006000000016d32-78.dat	upx
behavioral1/files/0x0006000000016d16-70.dat	upx
behavioral1/files/0x0006000000016d0e-66.dat	upx
behavioral1/files/0x0006000000016d05-62.dat	upx
behavioral1/files/0x0006000000016cfd-58.dat	upx
behavioral1/files/0x0006000000016ce4-50.dat	upx
behavioral1/files/0x0006000000016cb2-46.dat	upx
behavioral1/memory/2956-111-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx
behavioral1/memory/1564-109-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/memory/2540-88-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2484-113-0x000000013F330000-0x000000013F684000-memory.dmp	upx
behavioral1/memory/2480-117-0x000000013F5D0000-0x000000013F924000-memory.dmp	upx
behavioral1/memory/2768-120-0x000000013FE00000-0x0000000140154000-memory.dmp	upx
behavioral1/memory/2460-118-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/2556-115-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	upx
behavioral1/files/0x0006000000016c42-38.dat	upx
behavioral1/files/0x0008000000015e6d-34.dat	upx
behavioral1/files/0x0007000000015d44-26.dat	upx
behavioral1/files/0x0007000000015d24-23.dat	upx
behavioral1/files/0x0008000000015ce3-15.dat	upx
behavioral1/memory/2916-124-0x000000013F4D0000-0x000000013F824000-memory.dmp	upx
behavioral1/memory/2364-122-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/2500-125-0x000000013FBF0000-0x000000013FF44000-memory.dmp	upx
behavioral1/memory/1652-127-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2344-129-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/2112-130-0x000000013F820000-0x000000013FB74000-memory.dmp	upx
behavioral1/memory/2836-131-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/memory/1564-132-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/memory/2540-134-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2556-135-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	upx
behavioral1/memory/2112-145-0x000000013F820000-0x000000013FB74000-memory.dmp	upx
behavioral1/memory/1652-144-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2484-143-0x000000013F330000-0x000000013F684000-memory.dmp	upx
behavioral1/memory/2768-142-0x000000013FE00000-0x0000000140154000-memory.dmp	upx
behavioral1/memory/1564-141-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/memory/2344-140-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/2364-139-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/2500-138-0x000000013FBF0000-0x000000013FF44000-memory.dmp	upx
behavioral1/memory/2460-137-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/2956-136-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx
behavioral1/memory/2916-146-0x000000013F4D0000-0x000000013F824000-memory.dmp	upx
behavioral1/memory/2480-147-0x000000013F5D0000-0x000000013F924000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\cQnBNyW.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KQNqVmZ.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EHCWPQv.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wNVtzjX.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uyYdzjF.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VPKrpnB.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kfGazVB.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wavHHHM.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DSTgAEz.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eRlnBGQ.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KvNAnrg.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bpXsRDF.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AMdaUlN.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nkcaEmb.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KNOxXVc.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pjZtzXI.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rhPYTBR.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kAmYZie.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CEcfktf.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PcNIFdT.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wfrBUgn.exe	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2540	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	29
PID 2836 wrote to memory of 2540	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	29
PID 2836 wrote to memory of 2540	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	29
PID 2836 wrote to memory of 1564	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	30
PID 2836 wrote to memory of 1564	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	30
PID 2836 wrote to memory of 1564	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	30
PID 2836 wrote to memory of 2956	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	31
PID 2836 wrote to memory of 2956	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	31
PID 2836 wrote to memory of 2956	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	31
PID 2836 wrote to memory of 2484	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	32
PID 2836 wrote to memory of 2484	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	32
PID 2836 wrote to memory of 2484	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	32
PID 2836 wrote to memory of 2556	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	33
PID 2836 wrote to memory of 2556	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	33
PID 2836 wrote to memory of 2556	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	33
PID 2836 wrote to memory of 2480	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	34
PID 2836 wrote to memory of 2480	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	34
PID 2836 wrote to memory of 2480	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	34
PID 2836 wrote to memory of 2460	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	35
PID 2836 wrote to memory of 2460	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	35
PID 2836 wrote to memory of 2460	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	35
PID 2836 wrote to memory of 2768	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	36
PID 2836 wrote to memory of 2768	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	36
PID 2836 wrote to memory of 2768	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	36
PID 2836 wrote to memory of 2364	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	37
PID 2836 wrote to memory of 2364	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	37
PID 2836 wrote to memory of 2364	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	37
PID 2836 wrote to memory of 2916	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	38
PID 2836 wrote to memory of 2916	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	38
PID 2836 wrote to memory of 2916	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	38
PID 2836 wrote to memory of 2500	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	39
PID 2836 wrote to memory of 2500	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	39
PID 2836 wrote to memory of 2500	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	39
PID 2836 wrote to memory of 1652	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	40
PID 2836 wrote to memory of 1652	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	40
PID 2836 wrote to memory of 1652	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	40
PID 2836 wrote to memory of 2344	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	41
PID 2836 wrote to memory of 2344	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	41
PID 2836 wrote to memory of 2344	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	41
PID 2836 wrote to memory of 2112	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	42
PID 2836 wrote to memory of 2112	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	42
PID 2836 wrote to memory of 2112	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	42
PID 2836 wrote to memory of 2848	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	43
PID 2836 wrote to memory of 2848	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	43
PID 2836 wrote to memory of 2848	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	43
PID 2836 wrote to memory of 1420	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	44
PID 2836 wrote to memory of 1420	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	44
PID 2836 wrote to memory of 1420	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	44
PID 2836 wrote to memory of 332	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	45
PID 2836 wrote to memory of 332	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	45
PID 2836 wrote to memory of 332	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	45
PID 2836 wrote to memory of 2652	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	46
PID 2836 wrote to memory of 2652	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	46
PID 2836 wrote to memory of 2652	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	46
PID 2836 wrote to memory of 2704	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	47
PID 2836 wrote to memory of 2704	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	47
PID 2836 wrote to memory of 2704	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	47
PID 2836 wrote to memory of 2716	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	48
PID 2836 wrote to memory of 2716	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	48
PID 2836 wrote to memory of 2716	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	48
PID 2836 wrote to memory of 2732	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	49
PID 2836 wrote to memory of 2732	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	49
PID 2836 wrote to memory of 2732	2836	2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\System\KNOxXVc.exe
  C:\Windows\System\KNOxXVc.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\wavHHHM.exe
  C:\Windows\System\wavHHHM.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\DSTgAEz.exe
  C:\Windows\System\DSTgAEz.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\wfrBUgn.exe
  C:\Windows\System\wfrBUgn.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\eRlnBGQ.exe
  C:\Windows\System\eRlnBGQ.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\EHCWPQv.exe
  C:\Windows\System\EHCWPQv.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\cQnBNyW.exe
  C:\Windows\System\cQnBNyW.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\pjZtzXI.exe
  C:\Windows\System\pjZtzXI.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\KvNAnrg.exe
  C:\Windows\System\KvNAnrg.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\bpXsRDF.exe
  C:\Windows\System\bpXsRDF.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\wNVtzjX.exe
  C:\Windows\System\wNVtzjX.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\uyYdzjF.exe
  C:\Windows\System\uyYdzjF.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\AMdaUlN.exe
  C:\Windows\System\AMdaUlN.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\rhPYTBR.exe
  C:\Windows\System\rhPYTBR.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System\kAmYZie.exe
  C:\Windows\System\kAmYZie.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\KQNqVmZ.exe
  C:\Windows\System\KQNqVmZ.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System\CEcfktf.exe
  C:\Windows\System\CEcfktf.exe
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\System\VPKrpnB.exe
  C:\Windows\System\VPKrpnB.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\nkcaEmb.exe
  C:\Windows\System\nkcaEmb.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\PcNIFdT.exe
  C:\Windows\System\PcNIFdT.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\kfGazVB.exe
  C:\Windows\System\kfGazVB.exe
  2⤵
  - Executes dropped EXE
  PID:2732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AMdaUlN.exe

Filesize
5.9MB

MD5
1ad8e10142ff40f0fd73898145311c53

SHA1
d251e094dbed2b0a977b7dd2632b21c1d1ff8365

SHA256
3faa365a0c37d37b5295895a7886133ba22256ada28896a55b06e56f0ad89306

SHA512
ce3b24c8d03b0c26cb83ffe57f40fff6dca69e04817ece1d0d193a0002b574e9de7ca383f690b6e27ab8a046571b9ea06e4a9a90272266eae7fd276aef1c0a7e

Download Submit
C:\Windows\system\CEcfktf.exe

Filesize
5.9MB

MD5
6ec038fc70abb270d00a143d3de95f4f

SHA1
e8fccb10b74c7ae75d5707c1adbe41d4ca4168f0

SHA256
317e40ff5ed589dcdb4145e43235d5763332a23054ce3accfe7e476880959244

SHA512
cce6de9abdb243bda64c4eb10a93cfe95f7ef176d92187abbb7f415645cb8cd317918a77fcddb01c9d9be47dac213844f1fb528abdf83d7196eca751111f53b0

Download Submit
C:\Windows\system\DSTgAEz.exe

Filesize
5.9MB

MD5
241efc2e23d684a64b1311467ddfdbb0

SHA1
4565b93507cb42cbf866305b321c0a107a41f66f

SHA256
9b197a2990d2398d76511b1e17a673e0902b8ae823b149b2b897fa9cf1d346cb

SHA512
a02d71f8868a712981ae3b7c15a6142a906da2c0581938f2f69af57da6251a5860a862d5c7199bbf0731c5bc0690d3e5b0dc65c2cd4e2e3087ea3fcab1fcf083

Download Submit
C:\Windows\system\EHCWPQv.exe

Filesize
5.9MB

MD5
1ad808b538db96e5f262eaae6aae6301

SHA1
785b2c381a0ca9abfd75f7579ced743e797ead05

SHA256
d8b9429b3ab1531a7477e7c7068bf339bdfcbcf10a26973cc31671e93c77b0da

SHA512
6360aa91c077cfe14ce25279e7e84f1e6bb8f198d7640a97ec2c595057cfd918de2ec6526b74ca024cc9677d564356d5776c8a7ef3058283e782b808d6a3b965

Download Submit
C:\Windows\system\KQNqVmZ.exe

Filesize
5.9MB

MD5
a83dfc730cabef31239edf431370ab4d

SHA1
70eb21935490a227cbc6c0352bb396061b547691

SHA256
3e8802c9550f068f75a23fe50bbf776271d922e33318973da555a100d8ed6990

SHA512
287040085e8e3002df649875205a08315d028835ba003c416d1b5a60fd5eb02a5fab317521bd334f607694348ce6d8725c7e6150233187ab96ba45ab24916501

Download Submit
C:\Windows\system\KvNAnrg.exe

Filesize
5.9MB

MD5
daf98f875f1fdeb526cf917149e68fc1

SHA1
6736c1a3ae58f7e089376d416b2a472561578157

SHA256
acd564756bbb12d69bdad4cbc8d261741e978bd291505a2aa3ea171287de7247

SHA512
cc043da7158f0df2de184003dbec5584decd22725e66bfaea7e72141e625a16f269c42c4a65499ae212ec16f27cbc4ae8a29b773275a2a0aab75100299bf54f7

Download Submit
C:\Windows\system\PcNIFdT.exe

Filesize
5.9MB

MD5
ee2e60536866916c974110550b349702

SHA1
34a0411e47e3c1df458a98aa6f315a1433f7bba4

SHA256
680949a97d92c5e19b1a29986b841327c8f6748b503027d33fee4624d5e4966a

SHA512
3d864082941826e31dead80e4d048ee72b179c6d71a200e34c788ffbab925c303ed57ff594ac7cfbb7f310c994b53e5b6c69d71a8628d461db49f40a7cd58616

Download Submit
C:\Windows\system\VPKrpnB.exe

Filesize
5.9MB

MD5
203a95c9349c2ebe9d6c08e9399b650f

SHA1
05d17ad3b1ca8a61954c94df83e01e467d7dc952

SHA256
09212c28326e05150eba6ef4dedf66ed0d04b6e41ea44a3a2f53d490ebb2b0ea

SHA512
57d32291b0ca393fff1bd0a4981969567a4286aa0421d71d289fd56f44822eb5cfa0db2188e98a9e111a46841c014177c0f64a0e8668f08af352b27f71882ae8

Download Submit
C:\Windows\system\bpXsRDF.exe

Filesize
5.9MB

MD5
6b37e7dac374a18b39cb38884b1d9e76

SHA1
d0f484706cf0512ea7799d11048b3511742e8b67

SHA256
e8a93179d614c01301ca0ec095e5a14351e1453a801a1cc39294dc7660c76201

SHA512
07cd0c72e43909bf9702869521afccf4c8009edd8bfae8d1ad6a59dd27508027e1dd8a5826df24944015298098041203cc6f2d71a53c0b08886c3ef2edb561c3

Download Submit
C:\Windows\system\cQnBNyW.exe

Filesize
5.9MB

MD5
fe89e8b0b3086dabf067d89f2e10ca95

SHA1
670c8a8eb0f98616cc0dff2204181813ddeb90a6

SHA256
23fb6512d337fd2724dc8858d79d3bb49fd9e6a18effa3159d59741bd500e0e2

SHA512
07ad58d5dc928192f764bcad45fea7edcf7e971f557e60ace95be1cc0aa8dadcf2da4f1f07c80c17db5a690ab01d9b1ea2c1f2fa81d59893e617466a4ef182fd

Download Submit
C:\Windows\system\eRlnBGQ.exe

Filesize
5.9MB

MD5
fdc283f9a117e0ee1a4a2fb0f1112d54

SHA1
8596a40f9e192af8cd90c116b7ab1e54448502f3

SHA256
928c3aeed1d42f96d8fbc5c3276692a814c153036bdc7c2b959c2afebbb8d3df

SHA512
32dfaf55f786cad245aef1fbf41df79d56aeef276a579cc3e1da51f8a78a86580d0cd8d0edccd358bd8e177c39eff639d4efa08c2bf24fa27dff179ccc6e20d0

Download Submit
C:\Windows\system\kAmYZie.exe

Filesize
5.9MB

MD5
5bfec3d0e9c90088d1de928124b5bd54

SHA1
e65cfe32a1cecb6258358ce0dbf8b287bcf702fb

SHA256
240ea7df9c45798b038f870db237b84b1ec9243a1fbd5e202bcb64a37dfb1ce9

SHA512
d48e28509bb62dd45751ceeda623aa22bc100d6aa0bdf6bd54378d8202890fb914a4b44b9599dc0cc1d6f9abbbd6f2e8b4b5e0d03a8d1871d6123f66f7e0d406

Download Submit
C:\Windows\system\kfGazVB.exe

Filesize
5.9MB

MD5
d430772508d09afb830336ac99099fb5

SHA1
fa135ee94ccab63dbbec8555f623a6d615a81681

SHA256
26d4bf6ce1a411655adc72e70c84d9183b2af8e1c28edd3d0d87484e4f4a7a96

SHA512
77745c5fa6aaeb15856a40ec64d4aa1942ebd1293b5e62350982b9fcafca069f383d352d9660d2878bb2120752927307f5aa22d432865ae8d44c4883d5fd5c21

Download Submit
C:\Windows\system\nkcaEmb.exe

Filesize
5.9MB

MD5
289bb31f4d344f46c65e7018a70fe15b

SHA1
ac28b2304e59746106a197387e1b1ed3b6a3cbff

SHA256
28b30efb663fbf01a94f94e1c68764e20a694db8d06fc36423eef5f98be8bff2

SHA512
a1fddab388ad87481c3682630aa0c55a35d54939c534d12946959fc93c1ada0bae144f18679cc43c4dd6be2e4cbbe5f14f713183d1f9e7cceb4b1e3e80333f1b

Download Submit
C:\Windows\system\pjZtzXI.exe

Filesize
5.9MB

MD5
129e94a8e6834e141c4875cb19f51144

SHA1
99fbb0f2f0bf353b1a6314c6ddc612d6305f1e61

SHA256
b4167895fcc91c0830523867de64568c8dae90319d193a384cde8fd4c7855d99

SHA512
c56daad34b1ecbf03c20dd64bd689e20f642fc15900a0a9a1dda5301f26176ec4d8e4f47b24938fded2b89184a057757ab1d43ae9405a98e28ced0204dd4ddd6

Download Submit
C:\Windows\system\rhPYTBR.exe

Filesize
5.9MB

MD5
ca5ca002627886362458a30d68f41a8e

SHA1
6baca9efc8d9a228e6e785084bd92c269043570b

SHA256
66aefbb619b05cda3663a382597a658f7c43ec18b748bbb04a982f924946a293

SHA512
d83fe78dabb74431f059b6d4c6da972610e6a5fc5d87348a0a05d9431cac935c9196f30dd4c7c0ac7da7c5293f011635027d9a771b4cc0ddae42d7d6f30bb51a

Download Submit
C:\Windows\system\uyYdzjF.exe

Filesize
5.9MB

MD5
06226d09ab3b4f26502c1dd199eb1ea3

SHA1
7a46ee8ed3cac1c94d48f978dafe74d4adb154a0

SHA256
daf0f741a9b66b3a560e57801e8447907a0821f2d1e3d77a10cae82915f8f0fb

SHA512
f0e117d285af6af2cd879b51e36113a452486ab3d0d66956a4bad40f9890854c62dfd1068784161acc9d3458fa31d6c7e4a36ae441054019dee0b840dfb2972a

Download Submit
C:\Windows\system\wNVtzjX.exe

Filesize
5.9MB

MD5
656e1b2919cc3dccec56b420eaac7161

SHA1
c84e6ea7da8b024843952f81b5699fb218b7e9e5

SHA256
d5123a7daaf51370372fde48f21d1e6490530950be4d3991a764396351054441

SHA512
4babbf60f6d00128a29f7b052484a0b1aafc73d596e54a99c05ae08943f20becea2663110f44b5e919c6259cbdb7a85140be8efb098aebc4886e38931e695636

Download Submit
\Windows\system\KNOxXVc.exe

Filesize
5.9MB

MD5
5b1645d42dd83888a2476a0e323d381c

SHA1
f9270c50bf552fd38d23ea541aed7100e5ff5f41

SHA256
d47db7b7c11c693e97a72d5f0f89332b198e4dce2ae79bd34f06e6a2e1296812

SHA512
7a2ada38fe4c8ba9c56458b17b7388f76aaa651ee7699627c011f269e4fefef19d8614572360a4d889ce3e543e873b44a398703ea7c4cb5639994f7fdbab20be

Download Submit
\Windows\system\wavHHHM.exe

Filesize
5.9MB

MD5
2e1f88b930bc7d8f71911c1c6616a0a2

SHA1
feff66ab8952986a161ebe3823b46926a9b35815

SHA256
e3a26d731eedebfea459ad3dc29fae01bc9e29f90b36189baa56243f0ffe31b5

SHA512
494e362c2c963a4bde79b577b9298034489f2d8b4945f136ecc76ee9135c205510c131b580607330defcec7bdc0192140b7a0dcd3451d3408ae915dc01695619

Download Submit
\Windows\system\wfrBUgn.exe

Filesize
5.9MB

MD5
0724f8e609711d383dcebf3b3a30beab

SHA1
4335e23684b2dacd41b3289b5522ac0e266bd0d4

SHA256
f5c004e7ad69f0e6853f0e6cb7c70d19a65683c1a244fd915dab4901d969e178

SHA512
80063a3f236594bda309f9079c5d0f80c682a16fe40ade41d6b5a5fa3db7aa2f00ef3db0c2dd4300cf91e529310ce663381d66cc961f38db2cbe676b97704649

Download Submit
memory/1564-109-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/1564-141-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/1564-132-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/1652-127-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/1652-144-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2112-130-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/2112-145-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/2344-140-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2344-129-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-122-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2364-139-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2460-118-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2460-137-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2480-147-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/2480-117-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/2484-143-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2484-113-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2500-138-0x000000013FBF0000-0x000000013FF44000-memory.dmp

Filesize
3.3MB

Download
memory/2500-125-0x000000013FBF0000-0x000000013FF44000-memory.dmp

Filesize
3.3MB

Download
memory/2540-88-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2540-134-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-115-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2556-135-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2768-120-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/2768-142-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/2836-119-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/2836-123-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/2836-114-0x0000000002240000-0x0000000002594000-memory.dmp

Filesize
3.3MB

Download
memory/2836-133-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/2836-1-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2836-128-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2836-116-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/2836-126-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2836-121-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2836-131-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2836-0-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/2836-112-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2836-87-0x0000000002240000-0x0000000002594000-memory.dmp

Filesize
3.3MB

Download
memory/2836-110-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/2916-146-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/2916-124-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/2956-111-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/2956-136-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download