cobaltstrike | 6931c38c3fd5ea1cfd632c0c300d81e346294bc9d6fd131358ad5ad5750da7c4

Analysis

max time kernel
141s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

9939fa0286d6eec50d899d5064baf15d
SHA1

52486e6fd95040485b7329cf23d2991de318f6df
SHA256

6931c38c3fd5ea1cfd632c0c300d81e346294bc9d6fd131358ad5ad5750da7c4
SHA512

53a62703c37eded63ecfdc4e290a03a74bb48eeea3c8031e0d5303a1ca9e8fc1e50338a1afafab5513c078ee496ef62f9a089728bed77862d5f9955a3eb91572
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUH:T+856utgpPF8u/7H

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d0000000122b8-5.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014aec-12.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014ec4-18.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014fe1-27.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d41-124.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016e56-103.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000155d4-96.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d55-94.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d84-88.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4a-84.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014b6d-83.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4f-79.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d36-71.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d24-62.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001704f-113.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d01-111.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d89-110.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cf0-54.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015364-46.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d11-58.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015264-33.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000122b8-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014aec-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014ec4-18.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014fe1-27.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d41-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016e56-103.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000155d4-96.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d55-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d84-88.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4a-84.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014b6d-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4f-79.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d36-71.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d24-62.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001704f-113.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d01-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d89-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cf0-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015364-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d11-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015264-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 47 IoCs

resource	yara_rule
behavioral1/memory/2180-0-0x000000013FE70000-0x00000001401C4000-memory.dmp	UPX
behavioral1/files/0x000d0000000122b8-5.dat	UPX
behavioral1/memory/324-8-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
behavioral1/files/0x0009000000014aec-12.dat	UPX
behavioral1/files/0x0009000000014ec4-18.dat	UPX
behavioral1/memory/2956-14-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/files/0x0007000000014fe1-27.dat	UPX
behavioral1/memory/1720-28-0x000000013F6D0000-0x000000013FA24000-memory.dmp	UPX
behavioral1/memory/3012-109-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d41-124.dat	UPX
behavioral1/files/0x0006000000016e56-103.dat	UPX
behavioral1/files/0x00070000000155d4-96.dat	UPX
behavioral1/files/0x0006000000016d55-94.dat	UPX
behavioral1/memory/1872-93-0x000000013FF70000-0x00000001402C4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d84-88.dat	UPX
behavioral1/files/0x0006000000016d4a-84.dat	UPX
behavioral1/files/0x0009000000014b6d-83.dat	UPX
behavioral1/files/0x0006000000016d4f-79.dat	UPX
behavioral1/memory/2180-133-0x000000013FE70000-0x00000001401C4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d36-71.dat	UPX
behavioral1/memory/2992-65-0x000000013FD90000-0x00000001400E4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d24-62.dat	UPX
behavioral1/memory/2904-116-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
behavioral1/files/0x000600000001704f-113.dat	UPX
behavioral1/files/0x0006000000016d01-111.dat	UPX
behavioral1/files/0x0006000000016d89-110.dat	UPX
behavioral1/files/0x0006000000016cf0-54.dat	UPX
behavioral1/memory/2764-100-0x000000013FE70000-0x00000001401C4000-memory.dmp	UPX
behavioral1/files/0x0007000000015364-46.dat	UPX
behavioral1/memory/2956-135-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/2100-69-0x000000013F830000-0x000000013FB84000-memory.dmp	UPX
behavioral1/files/0x0006000000016d11-58.dat	UPX
behavioral1/memory/2860-41-0x000000013FB50000-0x000000013FEA4000-memory.dmp	UPX
behavioral1/files/0x0007000000015264-33.dat	UPX
behavioral1/memory/1028-25-0x000000013F6D0000-0x000000013FA24000-memory.dmp	UPX
behavioral1/memory/1720-136-0x000000013F6D0000-0x000000013FA24000-memory.dmp	UPX
behavioral1/memory/324-138-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
behavioral1/memory/1028-140-0x000000013F6D0000-0x000000013FA24000-memory.dmp	UPX
behavioral1/memory/2956-139-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/2860-141-0x000000013FB50000-0x000000013FEA4000-memory.dmp	UPX
behavioral1/memory/1720-142-0x000000013F6D0000-0x000000013FA24000-memory.dmp	UPX
behavioral1/memory/2100-143-0x000000013F830000-0x000000013FB84000-memory.dmp	UPX
behavioral1/memory/2992-145-0x000000013FD90000-0x00000001400E4000-memory.dmp	UPX
behavioral1/memory/1872-144-0x000000013FF70000-0x00000001402C4000-memory.dmp	UPX
behavioral1/memory/2904-148-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
behavioral1/memory/3012-147-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/memory/2764-146-0x000000013FE70000-0x00000001401C4000-memory.dmp	UPX

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral1/memory/2180-0-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/files/0x000d0000000122b8-5.dat	xmrig
behavioral1/memory/324-8-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/files/0x0009000000014aec-12.dat	xmrig
behavioral1/files/0x0009000000014ec4-18.dat	xmrig
behavioral1/memory/2956-14-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/files/0x0007000000014fe1-27.dat	xmrig
behavioral1/memory/1720-28-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/3012-109-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d41-124.dat	xmrig
behavioral1/files/0x0006000000016e56-103.dat	xmrig
behavioral1/files/0x00070000000155d4-96.dat	xmrig
behavioral1/files/0x0006000000016d55-94.dat	xmrig
behavioral1/memory/1872-93-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d84-88.dat	xmrig
behavioral1/files/0x0006000000016d4a-84.dat	xmrig
behavioral1/files/0x0009000000014b6d-83.dat	xmrig
behavioral1/files/0x0006000000016d4f-79.dat	xmrig
behavioral1/memory/2180-133-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/memory/2180-74-0x00000000022A0000-0x00000000025F4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d36-71.dat	xmrig
behavioral1/memory/2992-65-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d24-62.dat	xmrig
behavioral1/memory/2904-116-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/files/0x000600000001704f-113.dat	xmrig
behavioral1/files/0x0006000000016d01-111.dat	xmrig
behavioral1/files/0x0006000000016d89-110.dat	xmrig
behavioral1/files/0x0006000000016cf0-54.dat	xmrig
behavioral1/memory/2764-100-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015364-46.dat	xmrig
behavioral1/memory/2180-43-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/2956-135-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/2100-69-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d11-58.dat	xmrig
behavioral1/memory/2860-41-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015264-33.dat	xmrig
behavioral1/memory/1028-25-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/1720-136-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/324-138-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/1028-140-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/2956-139-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/2860-141-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/memory/1720-142-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/2100-143-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2992-145-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/memory/1872-144-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
behavioral1/memory/2904-148-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/memory/3012-147-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/2764-146-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
324	RRdfeur.exe
2956	CDarvbm.exe
1028	yOqkvlw.exe
1720	GyukSRm.exe
2860	eqvfHqJ.exe
2100	CjiBsUh.exe
1872	jNWVScM.exe
2992	WYBsIEk.exe
2764	AGSljae.exe
3012	dHxxwyH.exe
2904	xUNuTFF.exe
2704	exqhdMm.exe
588	HXoLwnv.exe
2408	klHDXHp.exe
2288	pXSBCNE.exe
2832	TGMUpkp.exe
2652	RPoPUao.exe
3024	sfVYZEj.exe
1544	gzIjdFh.exe
2584	lqDVDNQ.exe
2492	oOeAIlh.exe

Loads dropped DLL 21 IoCs

pid	Process
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe

UPX packed file 47 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2180-0-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/files/0x000d0000000122b8-5.dat	upx
behavioral1/memory/324-8-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/files/0x0009000000014aec-12.dat	upx
behavioral1/files/0x0009000000014ec4-18.dat	upx
behavioral1/memory/2956-14-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/files/0x0007000000014fe1-27.dat	upx
behavioral1/memory/1720-28-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/3012-109-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/files/0x0006000000016d41-124.dat	upx
behavioral1/files/0x0006000000016e56-103.dat	upx
behavioral1/files/0x00070000000155d4-96.dat	upx
behavioral1/files/0x0006000000016d55-94.dat	upx
behavioral1/memory/1872-93-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
behavioral1/files/0x0006000000016d84-88.dat	upx
behavioral1/files/0x0006000000016d4a-84.dat	upx
behavioral1/files/0x0009000000014b6d-83.dat	upx
behavioral1/files/0x0006000000016d4f-79.dat	upx
behavioral1/memory/2180-133-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/files/0x0006000000016d36-71.dat	upx
behavioral1/memory/2992-65-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/files/0x0006000000016d24-62.dat	upx
behavioral1/memory/2904-116-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/files/0x000600000001704f-113.dat	upx
behavioral1/files/0x0006000000016d01-111.dat	upx
behavioral1/files/0x0006000000016d89-110.dat	upx
behavioral1/files/0x0006000000016cf0-54.dat	upx
behavioral1/memory/2764-100-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/files/0x0007000000015364-46.dat	upx
behavioral1/memory/2956-135-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/2100-69-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/files/0x0006000000016d11-58.dat	upx
behavioral1/memory/2860-41-0x000000013FB50000-0x000000013FEA4000-memory.dmp	upx
behavioral1/files/0x0007000000015264-33.dat	upx
behavioral1/memory/1028-25-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/1720-136-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/324-138-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/1028-140-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/2956-139-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/2860-141-0x000000013FB50000-0x000000013FEA4000-memory.dmp	upx
behavioral1/memory/1720-142-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/2100-143-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2992-145-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/memory/1872-144-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
behavioral1/memory/2904-148-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/memory/3012-147-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/2764-146-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\RRdfeur.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CDarvbm.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yOqkvlw.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dHxxwyH.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HXoLwnv.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jNWVScM.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RPoPUao.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xUNuTFF.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\exqhdMm.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eqvfHqJ.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WYBsIEk.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gzIjdFh.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lqDVDNQ.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TGMUpkp.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GyukSRm.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CjiBsUh.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pXSBCNE.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AGSljae.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\klHDXHp.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oOeAIlh.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sfVYZEj.exe	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 324	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	29
PID 2180 wrote to memory of 324	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	29
PID 2180 wrote to memory of 324	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	29
PID 2180 wrote to memory of 2956	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	30
PID 2180 wrote to memory of 2956	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	30
PID 2180 wrote to memory of 2956	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	30
PID 2180 wrote to memory of 1028	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	31
PID 2180 wrote to memory of 1028	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	31
PID 2180 wrote to memory of 1028	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	31
PID 2180 wrote to memory of 1720	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	32
PID 2180 wrote to memory of 1720	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	32
PID 2180 wrote to memory of 1720	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	32
PID 2180 wrote to memory of 2860	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	33
PID 2180 wrote to memory of 2860	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	33
PID 2180 wrote to memory of 2860	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	33
PID 2180 wrote to memory of 3012	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	34
PID 2180 wrote to memory of 3012	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	34
PID 2180 wrote to memory of 3012	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	34
PID 2180 wrote to memory of 2100	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	35
PID 2180 wrote to memory of 2100	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	35
PID 2180 wrote to memory of 2100	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	35
PID 2180 wrote to memory of 588	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	36
PID 2180 wrote to memory of 588	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	36
PID 2180 wrote to memory of 588	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	36
PID 2180 wrote to memory of 1872	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	37
PID 2180 wrote to memory of 1872	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	37
PID 2180 wrote to memory of 1872	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	37
PID 2180 wrote to memory of 2288	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	38
PID 2180 wrote to memory of 2288	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	38
PID 2180 wrote to memory of 2288	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	38
PID 2180 wrote to memory of 2992	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	39
PID 2180 wrote to memory of 2992	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	39
PID 2180 wrote to memory of 2992	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	39
PID 2180 wrote to memory of 2652	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	40
PID 2180 wrote to memory of 2652	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	40
PID 2180 wrote to memory of 2652	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	40
PID 2180 wrote to memory of 2764	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	41
PID 2180 wrote to memory of 2764	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	41
PID 2180 wrote to memory of 2764	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	41
PID 2180 wrote to memory of 3024	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	42
PID 2180 wrote to memory of 3024	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	42
PID 2180 wrote to memory of 3024	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	42
PID 2180 wrote to memory of 2904	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	43
PID 2180 wrote to memory of 2904	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	43
PID 2180 wrote to memory of 2904	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	43
PID 2180 wrote to memory of 1544	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	44
PID 2180 wrote to memory of 1544	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	44
PID 2180 wrote to memory of 1544	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	44
PID 2180 wrote to memory of 2704	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	45
PID 2180 wrote to memory of 2704	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	45
PID 2180 wrote to memory of 2704	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	45
PID 2180 wrote to memory of 2584	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	46
PID 2180 wrote to memory of 2584	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	46
PID 2180 wrote to memory of 2584	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	46
PID 2180 wrote to memory of 2408	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	47
PID 2180 wrote to memory of 2408	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	47
PID 2180 wrote to memory of 2408	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	47
PID 2180 wrote to memory of 2492	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	48
PID 2180 wrote to memory of 2492	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	48
PID 2180 wrote to memory of 2492	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	48
PID 2180 wrote to memory of 2832	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	49
PID 2180 wrote to memory of 2832	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	49
PID 2180 wrote to memory of 2832	2180	2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\System\RRdfeur.exe
  C:\Windows\System\RRdfeur.exe
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\System\CDarvbm.exe
  C:\Windows\System\CDarvbm.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\yOqkvlw.exe
  C:\Windows\System\yOqkvlw.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\GyukSRm.exe
  C:\Windows\System\GyukSRm.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\eqvfHqJ.exe
  C:\Windows\System\eqvfHqJ.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\dHxxwyH.exe
  C:\Windows\System\dHxxwyH.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\CjiBsUh.exe
  C:\Windows\System\CjiBsUh.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\HXoLwnv.exe
  C:\Windows\System\HXoLwnv.exe
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\System\jNWVScM.exe
  C:\Windows\System\jNWVScM.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\pXSBCNE.exe
  C:\Windows\System\pXSBCNE.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\WYBsIEk.exe
  C:\Windows\System\WYBsIEk.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\RPoPUao.exe
  C:\Windows\System\RPoPUao.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\AGSljae.exe
  C:\Windows\System\AGSljae.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\sfVYZEj.exe
  C:\Windows\System\sfVYZEj.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\xUNuTFF.exe
  C:\Windows\System\xUNuTFF.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\gzIjdFh.exe
  C:\Windows\System\gzIjdFh.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System\exqhdMm.exe
  C:\Windows\System\exqhdMm.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\lqDVDNQ.exe
  C:\Windows\System\lqDVDNQ.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\klHDXHp.exe
  C:\Windows\System\klHDXHp.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\oOeAIlh.exe
  C:\Windows\System\oOeAIlh.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\TGMUpkp.exe
  C:\Windows\System\TGMUpkp.exe
  2⤵
  - Executes dropped EXE
  PID:2832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AGSljae.exe

Filesize
5.9MB

MD5
90f6ce316cba85bd3f44fb9bc3f323ee

SHA1
71a7a36bc9c9e5978bf6d1d20a7f08190ebc4ea2

SHA256
ae0f5acc63aad33b94ebda63bbad1970b69f583fba235911eb108618f9471d5f

SHA512
de2a86a60a931a946649bb7b09a44138454f7bac9f5d417a162a40ba149502ac3754600d78850572029b65629ad2255359936b85e26d929cb06476a24198d520

Download Submit
C:\Windows\system\CDarvbm.exe

Filesize
5.9MB

MD5
1dd6cc7cf6fb5a0a21689c0732674219

SHA1
2a5662dce415876aaa91acc48e170dd482280931

SHA256
fc213dec94a64004a9e6945a90d9551dc6d931c372f475a0145af74935dd3efb

SHA512
93c10141cc9cb47ee0a0a27ba40316d0cf802c71989b98dfa294f7351738e81661d3f9538d5679d2258e0a29c6878c135126f197b91c99ba546411c0216376e6

Download Submit
C:\Windows\system\CjiBsUh.exe

Filesize
5.9MB

MD5
cfd80e3a11330b1a1bfa0069c8686694

SHA1
c085d1d63f68d8662ff1692b5f120804bed532d9

SHA256
b3c378e8d1a41462a9ec51747ef184ca3c71a7a93a4877a9aee9983cea92b72f

SHA512
2d55fc60a3aff99177d598698405059d9ea5aed15700f81b61c9f19499b6050d6c4b880b2f7ba8981c1d4cc73a71126def0d4aac1cea4245eea69681b8d0ffae

Download Submit
C:\Windows\system\GyukSRm.exe

Filesize
5.9MB

MD5
10a5997c78dead6dfe92ed69e3dacfec

SHA1
52e379a605600db3e4ad9af210bcc51353cba661

SHA256
9e264017447c01a4789b0f1bc8214dd9c6393e60f9b72ad5b32352a03f86d560

SHA512
a213b38fdc72ab86ca339929543adcff544ea70ae570d392a85f8b7da55d46d1cf0b0baaead748a505182e8fc856c3cb2a228d57646339791546c670b1144c54

Download Submit
C:\Windows\system\HXoLwnv.exe

Filesize
5.9MB

MD5
70999bdafe61208705cfccc5929e728b

SHA1
f213be038393d4eeb1d2342390e0991e9f0fed5a

SHA256
11bd480245c7e3a70c77a6122243e530d901f084a9ea357bff8ea2d2fa8077ee

SHA512
11abd2de3c9a44ace2bbb5d08c13ff1e4a20a5cd47d4e51c7236621b9ee46162cacdb72dfb80b28a3524bfa35552f2bc1bf3e8b82aab737a0b63fdc890ab9a28

Download Submit
C:\Windows\system\RRdfeur.exe

Filesize
5.9MB

MD5
6bd33f93d2d2d3f6096f9d4b9688f2b8

SHA1
96de9bb2bafeb5d278032e4cfdaf14529c749231

SHA256
eac0dd48ca92b743cccb1b3fbd2fdcd5561addcc1bafb06c229b352537e40c59

SHA512
e2d2f717332b0b8dfc43ad3ad7de35fc4f070a2e1e83230892782a197e69be6521d22b7de1d82795f4740fbf8014910825ed973039d816b428263b9c2547fbd9

Download Submit
C:\Windows\system\TGMUpkp.exe

Filesize
5.9MB

MD5
b5bdc12efda685ea402f57e0ef1b26d8

SHA1
8f9de694139689cd3424321e32e77fce59eb99e9

SHA256
19980ac78ae73366675bf388ec63add4f0690ebc365ac81eac8e2bd79e93a296

SHA512
7ca4bd6dc3dc1e2716da634eb90f31842820b58461ce8345584f63130f1234623780c17d1026a42ea845e20313894338473a343cae9f0db7ded44d14fd46e3af

Download Submit
C:\Windows\system\WYBsIEk.exe

Filesize
5.9MB

MD5
4c4c703a464e81c929b35de99cc56c79

SHA1
ebad8d1a48d9e60bbfb06b7a4e5bf6262b559996

SHA256
560240d63acea6b3819a0efeac388781673353c93516cfa1f7850476ef93e5bd

SHA512
2c96159958ef7706f4c68ef7f2957b506d209dae6eb7008086cd7aa9d7934715cb63e8524b483cbd250e41854706f8f7bbb8c9dee9024c49f0bf3dc6f31816c2

Download Submit
C:\Windows\system\dHxxwyH.exe

Filesize
5.9MB

MD5
26091a67d07a4ca7ee723077addcfb07

SHA1
b527f3b4ad5c8dce189d22063976bc44cb89093e

SHA256
410c77258b7ae83a27a11a29863c25d7b2d06d38a14884101246fd54625196ba

SHA512
84e1cdd237fba283413f55ad59116e7171b91e1311b71fc12d25b40dc12010d860162de78c3254c8b026fe5a08a0c0a8ab64220f5bf3d7f56270fe987d738038

Download Submit
C:\Windows\system\eqvfHqJ.exe

Filesize
5.9MB

MD5
7d6cae4194bc506378dff116d30f8d8a

SHA1
f459c442ba6e0c6dacf414d55273a5b477617371

SHA256
3c00a13197e121b0a20547f58224aaa0c8bdec7d833ebb09f25cb21425b29fc9

SHA512
e71dc6f7c9e79708ef86f803577fa7e684a015f468ec8b53a25671a325792ee43f1eaf7e47f094406810357ad0ef03f4404398172072555f0c359b36de16a0e0

Download Submit
C:\Windows\system\exqhdMm.exe

Filesize
5.9MB

MD5
828b59124cca2ec4066179dc742f2c5f

SHA1
7fc4e111e5613c6032636a1db81b7733ef4cee5e

SHA256
d0afc1a89bac8c8741f2d5361a9478001f9b3786884334a211b95c0d6deda3d4

SHA512
476b48f8db97945d3c6cdf4533b484218638e4ad7ceb8c9967866722b1a5995f9d6ec14a06accf8f6f8ceb745309aee256043984fbb299adbe1d1b661ae6e9e7

Download Submit
C:\Windows\system\jNWVScM.exe

Filesize
5.9MB

MD5
ae76b303065d71f7fa6bc957f0fbc891

SHA1
9f215fb0b444355d0f6882cc8e573eae3ee73bcf

SHA256
5eb78aedad8db92af7ae5bc1bf13a220cb7fe1778d368ae5af1f988bf59b8533

SHA512
0d06e896e9f19137c5a5fcce726026b137b0533deed59cc0a3806d47c88d890ded7db1d5a9b82b6117e8fbb9d0a1945b6938f666c1bf4f6e1ddc889be36d0409

Download Submit
C:\Windows\system\klHDXHp.exe

Filesize
5.9MB

MD5
feefd32d839f6cb6df9630c382c0d800

SHA1
7faff234224678c49b0801d2fac06068eec95013

SHA256
e3f8a005def19c08b7af99bb4479e84b77e5f91a3bb8c981d8b8238f0d90fdb0

SHA512
cc22db9d63224fd55dbbf76613af6491dd4d112c58719c88ebef6b8fea59544ff7bc760840fd0c24ec0f2786a684fcab157d463a366039f7ed7159e1f0f489a3

Download Submit
C:\Windows\system\pXSBCNE.exe

Filesize
5.9MB

MD5
b0e80db814bdbeef75095218f82c5364

SHA1
c1e064f02f9e8ab5915407406aadcdb81eda4b18

SHA256
5ec79c29a343b0ea5ec8f9ca334b27ae9bb4c5e4addeb79e80e9dd997a041425

SHA512
6e69d2d791d1dad7b22cf31940ed29162649eeaa9d69836b38f610a3a7e425098ae06a4227c121290d8d04a6e1fde757773628a42b44fa5a722af35ddb87048c

Download Submit
C:\Windows\system\sfVYZEj.exe

Filesize
5.9MB

MD5
44709ee073c7585ae2f3ca253872bc68

SHA1
03d2504144f07cd7e3d6a69bcbabd921233c266d

SHA256
f92c6be81b4c2fe9d04ece0266f2d3058011358e8f7d615bd05cd8016376440d

SHA512
c52f6b470d63d291a8bb00137de9c2f649fb2805ae2fc1366a1b2097408416040cd5f5f8d0c9256e585da8b61d86006a71c1dbcd15a6e028d81faa397294f6f2

Download Submit
C:\Windows\system\xUNuTFF.exe

Filesize
5.9MB

MD5
d4e6be526537dd1981681ccf5b1e5551

SHA1
1120de6bdc1139d7d7071a4fb245c8ae02ec0675

SHA256
a48197c6bb6f7243c781652f9f884249605c654c0a982f0c60a11e17d3b0d407

SHA512
a5447cffc864a5de47f4f5a4289a37a3a018d1ba47cafdd4392b172b26944865c08637d66b80d82f274ece900a34dd4f745453ecd472d528e72e6f0ecd5346c8

Download Submit
C:\Windows\system\yOqkvlw.exe

Filesize
5.9MB

MD5
67203355aeb0738da1b35fa90adb084d

SHA1
80a778b6b423e0e9510966ac436fae27be47c173

SHA256
96f95fd09a1e5ffb5230368eee1db968dc30ec5002d079f0c0f44320d7c36d7b

SHA512
0b967a44541e5f557ef9edae16b348c719e3835472f533d2200493fe47b7649026285fd445ade517307dcb02a03bf229e1fb353b541ffe4756cc149bf12a3277

Download Submit
\Windows\system\RPoPUao.exe

Filesize
5.9MB

MD5
19fd6e74cdde69344cbc403967c76220

SHA1
e5fb3724392574ec92fb1f5f256dbb3c81f9bbd5

SHA256
c170acc11001311da68ef205f99d2994d892c702c05195793a9f3246b2a1dc8f

SHA512
d24b97da6796ec0334b795176c56ac02a24b48cfd27f0cace82976c38a3b93cef97bd2c9cbc80bc10a3bcdba2a34808b749143be45ade670fce0af29b9d56724

Download Submit
\Windows\system\gzIjdFh.exe

Filesize
5.9MB

MD5
e8746e9984439b6f894a6df54baec353

SHA1
45fc0be8045b407da75bafeb982b0c18277a46fc

SHA256
bf2b50ba60e4cd0e5e9e5925d6ea76e6fa25fd83e60a2d04bf4a8c15d75b672f

SHA512
d419f6c5f252728fa7b92ac6c460153e108453164ec928b65b2a28a18daecd2624c0f41451d334fb67fe897260ca03dff293f3696d8c6aa64b85a88fc4436895

Download Submit
\Windows\system\lqDVDNQ.exe

Filesize
5.9MB

MD5
7ab3f611ac2ac52c8003723a36ddf28c

SHA1
6d24a484508091107f44c50e8da3f97d84c4474b

SHA256
03d587d4501ee55950472f4e909240b596e8c2fa13b1ea5eb0e988e158896c77

SHA512
34b75c7259d6500e2495e4330c2871c4c1449b6bc0decf1d7d0bc926341ed5eacc0134220691aeb191a4c2f52771e313c6dd5dbb8bbbfde36039037f7eda60d1

Download Submit
\Windows\system\oOeAIlh.exe

Filesize
5.9MB

MD5
cfc748eaa4cc190822bf006b1e785804

SHA1
b2deb798b20b04a031c0e68a28c57a464af92809

SHA256
d59e39374c145abf36c7a8c79e7734f36037b9b76f3549a7e59a988de952d2ad

SHA512
b31ec562caad68ff000c05ee11b76c302e2ef71469fd6e8dd35db9aa42d76d196d54e3778746cfb5d614435652eade6274e0f2d873a434fc71b0a443e440aa64

Download Submit
memory/324-8-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/324-138-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-25-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/1028-140-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/1720-28-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/1720-142-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/1720-136-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/1872-93-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/1872-144-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/2100-69-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2100-143-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2180-117-0x00000000022A0000-0x00000000025F4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-26-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2180-0-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-118-0x00000000022A0000-0x00000000025F4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-134-0x00000000022A0000-0x00000000025F4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-119-0x00000000022A0000-0x00000000025F4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2180-99-0x00000000022A0000-0x00000000025F4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-120-0x00000000022A0000-0x00000000025F4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-43-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-78-0x00000000022A0000-0x00000000025F4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-21-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2180-121-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-60-0x00000000022A0000-0x00000000025F4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-122-0x00000000022A0000-0x00000000025F4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-97-0x00000000022A0000-0x00000000025F4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-137-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2180-133-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-74-0x00000000022A0000-0x00000000025F4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-13-0x00000000022A0000-0x00000000025F4000-memory.dmp

Filesize
3.3MB

Download
memory/2764-146-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/2764-100-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/2860-41-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2860-141-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2904-116-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2904-148-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2956-135-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2956-14-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2956-139-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2992-145-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/2992-65-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/3012-109-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/3012-147-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download