cobaltstrike | bcde48fcbdf19046a898e961612fbabd77ac5b693ebadc4b3baf653b36fcd7ab

Analysis

max time kernel
134s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

daffa1533f837a6e5c37a98b47a5974f
SHA1

1aae2efc43651512732ceb057791661edc1be8cc
SHA256

bcde48fcbdf19046a898e961612fbabd77ac5b693ebadc4b3baf653b36fcd7ab
SHA512

94a056eed732b216c8281b633809f649b59d822755c5fd207a4885eee1f6c6c8ebbb8b030c07a7404e13af24fe0dcfd6d8fc52ac1ff7dd85811d4683e41427a5
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUy:T+856utgpPF8u/7y

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a000000015cb6-3.dat	cobalt_reflective_dll
behavioral1/files/0x0035000000015d42-11.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d6b-12.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d7f-21.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d87-23.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015e32-36.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015ecc-40.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cdc-45.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3e-75.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d74-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016da5-105.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d9d-100.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d8e-95.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d5f-85.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d43-80.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3a-70.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d34-65.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d20-60.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d18-55.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d07-50.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d93-30.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000a000000015cb6-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0035000000015d42-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015d6b-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d7f-21.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d87-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015e32-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015ecc-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cdc-45.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d3e-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d74-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016da5-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d9d-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d8e-95.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d5f-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d43-80.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d3a-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d34-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d20-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d18-55.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d07-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d93-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 51 IoCs

resource	yara_rule
behavioral1/memory/2968-0-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
behavioral1/files/0x000a000000015cb6-3.dat	UPX
behavioral1/files/0x0035000000015d42-11.dat	UPX
behavioral1/files/0x0008000000015d6b-12.dat	UPX
behavioral1/files/0x0007000000015d7f-21.dat	UPX
behavioral1/files/0x0007000000015d87-23.dat	UPX
behavioral1/files/0x0007000000015e32-36.dat	UPX
behavioral1/files/0x0008000000015ecc-40.dat	UPX
behavioral1/files/0x0006000000016cdc-45.dat	UPX
behavioral1/files/0x0006000000016d3e-75.dat	UPX
behavioral1/files/0x0006000000016d74-90.dat	UPX
behavioral1/files/0x0006000000016da5-105.dat	UPX
behavioral1/files/0x0006000000016d9d-100.dat	UPX
behavioral1/files/0x0006000000016d8e-95.dat	UPX
behavioral1/memory/2540-128-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX
behavioral1/memory/3044-129-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
behavioral1/memory/2440-127-0x000000013FF60000-0x00000001402B4000-memory.dmp	UPX
behavioral1/memory/2648-125-0x000000013FD50000-0x00000001400A4000-memory.dmp	UPX
behavioral1/memory/2584-123-0x000000013F630000-0x000000013F984000-memory.dmp	UPX
behavioral1/memory/2448-121-0x000000013F2D0000-0x000000013F624000-memory.dmp	UPX
behavioral1/memory/2620-119-0x000000013F520000-0x000000013F874000-memory.dmp	UPX
behavioral1/memory/2688-117-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2576-116-0x000000013F650000-0x000000013F9A4000-memory.dmp	UPX
behavioral1/memory/2676-115-0x000000013FE10000-0x0000000140164000-memory.dmp	UPX
behavioral1/memory/2564-113-0x000000013FC30000-0x000000013FF84000-memory.dmp	UPX
behavioral1/memory/3020-112-0x000000013F850000-0x000000013FBA4000-memory.dmp	UPX
behavioral1/memory/3000-111-0x000000013FB90000-0x000000013FEE4000-memory.dmp	UPX
behavioral1/memory/1784-109-0x000000013FE20000-0x0000000140174000-memory.dmp	UPX
behavioral1/files/0x0006000000016d5f-85.dat	UPX
behavioral1/files/0x0006000000016d43-80.dat	UPX
behavioral1/files/0x0006000000016d3a-70.dat	UPX
behavioral1/files/0x0006000000016d34-65.dat	UPX
behavioral1/files/0x0006000000016d20-60.dat	UPX
behavioral1/files/0x0006000000016d18-55.dat	UPX
behavioral1/files/0x0006000000016d07-50.dat	UPX
behavioral1/files/0x0007000000015d93-30.dat	UPX
behavioral1/memory/2968-130-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
behavioral1/memory/3044-132-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
behavioral1/memory/3000-133-0x000000013FB90000-0x000000013FEE4000-memory.dmp	UPX
behavioral1/memory/1784-134-0x000000013FE20000-0x0000000140174000-memory.dmp	UPX
behavioral1/memory/3020-135-0x000000013F850000-0x000000013FBA4000-memory.dmp	UPX
behavioral1/memory/2564-136-0x000000013FC30000-0x000000013FF84000-memory.dmp	UPX
behavioral1/memory/2676-137-0x000000013FE10000-0x0000000140164000-memory.dmp	UPX
behavioral1/memory/2576-138-0x000000013F650000-0x000000013F9A4000-memory.dmp	UPX
behavioral1/memory/2688-139-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2620-140-0x000000013F520000-0x000000013F874000-memory.dmp	UPX
behavioral1/memory/2448-141-0x000000013F2D0000-0x000000013F624000-memory.dmp	UPX
behavioral1/memory/2584-142-0x000000013F630000-0x000000013F984000-memory.dmp	UPX
behavioral1/memory/2440-143-0x000000013FF60000-0x00000001402B4000-memory.dmp	UPX
behavioral1/memory/2540-145-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX
behavioral1/memory/2648-144-0x000000013FD50000-0x00000001400A4000-memory.dmp	UPX

XMRig Miner payload 55 IoCs

miner

resource	yara_rule
behavioral1/memory/2968-0-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/files/0x000a000000015cb6-3.dat	xmrig
behavioral1/files/0x0035000000015d42-11.dat	xmrig
behavioral1/files/0x0008000000015d6b-12.dat	xmrig
behavioral1/files/0x0007000000015d7f-21.dat	xmrig
behavioral1/files/0x0007000000015d87-23.dat	xmrig
behavioral1/files/0x0007000000015e32-36.dat	xmrig
behavioral1/files/0x0008000000015ecc-40.dat	xmrig
behavioral1/files/0x0006000000016cdc-45.dat	xmrig
behavioral1/files/0x0006000000016d3e-75.dat	xmrig
behavioral1/files/0x0006000000016d74-90.dat	xmrig
behavioral1/files/0x0006000000016da5-105.dat	xmrig
behavioral1/files/0x0006000000016d9d-100.dat	xmrig
behavioral1/files/0x0006000000016d8e-95.dat	xmrig
behavioral1/memory/2540-128-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/3044-129-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/2440-127-0x000000013FF60000-0x00000001402B4000-memory.dmp	xmrig
behavioral1/memory/2968-126-0x000000013FF60000-0x00000001402B4000-memory.dmp	xmrig
behavioral1/memory/2648-125-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2584-123-0x000000013F630000-0x000000013F984000-memory.dmp	xmrig
behavioral1/memory/2968-122-0x000000013F630000-0x000000013F984000-memory.dmp	xmrig
behavioral1/memory/2448-121-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/memory/2620-119-0x000000013F520000-0x000000013F874000-memory.dmp	xmrig
behavioral1/memory/2968-118-0x000000013F520000-0x000000013F874000-memory.dmp	xmrig
behavioral1/memory/2688-117-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2576-116-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/memory/2676-115-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/memory/2968-114-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/memory/2564-113-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/memory/3020-112-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/3000-111-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/1784-109-0x000000013FE20000-0x0000000140174000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d5f-85.dat	xmrig
behavioral1/files/0x0006000000016d43-80.dat	xmrig
behavioral1/files/0x0006000000016d3a-70.dat	xmrig
behavioral1/files/0x0006000000016d34-65.dat	xmrig
behavioral1/files/0x0006000000016d20-60.dat	xmrig
behavioral1/files/0x0006000000016d18-55.dat	xmrig
behavioral1/files/0x0006000000016d07-50.dat	xmrig
behavioral1/files/0x0007000000015d93-30.dat	xmrig
behavioral1/memory/2968-130-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/memory/3044-132-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/3000-133-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/1784-134-0x000000013FE20000-0x0000000140174000-memory.dmp	xmrig
behavioral1/memory/3020-135-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2564-136-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/memory/2676-137-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/memory/2576-138-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/memory/2688-139-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2620-140-0x000000013F520000-0x000000013F874000-memory.dmp	xmrig
behavioral1/memory/2448-141-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/memory/2584-142-0x000000013F630000-0x000000013F984000-memory.dmp	xmrig
behavioral1/memory/2440-143-0x000000013FF60000-0x00000001402B4000-memory.dmp	xmrig
behavioral1/memory/2540-145-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/2648-144-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3044	lTJFrxR.exe
1784	WaTbhTV.exe
3000	RpmkRlH.exe
3020	SMaGjMk.exe
2564	FzhJBPZ.exe
2676	JVKRqQY.exe
2576	zGmCsMl.exe
2688	ZIOYrba.exe
2620	PUKuGua.exe
2448	jGzeYvT.exe
2584	yCdzqwl.exe
2648	QDDVhVh.exe
2440	uOcZLjp.exe
2540	ebSyWCk.exe
3004	dUgzKMM.exe
1696	awUpzqz.exe
1420	Yodnbnu.exe
2508	hUypbMm.exe
2776	nKRkUaE.exe
2748	iqyEQXg.exe
2308	zgZfrFj.exe

Loads dropped DLL 21 IoCs

pid	Process
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2968-0-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/files/0x000a000000015cb6-3.dat	upx
behavioral1/files/0x0035000000015d42-11.dat	upx
behavioral1/files/0x0008000000015d6b-12.dat	upx
behavioral1/files/0x0007000000015d7f-21.dat	upx
behavioral1/files/0x0007000000015d87-23.dat	upx
behavioral1/files/0x0007000000015e32-36.dat	upx
behavioral1/files/0x0008000000015ecc-40.dat	upx
behavioral1/files/0x0006000000016cdc-45.dat	upx
behavioral1/files/0x0006000000016d3e-75.dat	upx
behavioral1/files/0x0006000000016d74-90.dat	upx
behavioral1/files/0x0006000000016da5-105.dat	upx
behavioral1/files/0x0006000000016d9d-100.dat	upx
behavioral1/files/0x0006000000016d8e-95.dat	upx
behavioral1/memory/2540-128-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/memory/3044-129-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/memory/2440-127-0x000000013FF60000-0x00000001402B4000-memory.dmp	upx
behavioral1/memory/2648-125-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2584-123-0x000000013F630000-0x000000013F984000-memory.dmp	upx
behavioral1/memory/2448-121-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/memory/2620-119-0x000000013F520000-0x000000013F874000-memory.dmp	upx
behavioral1/memory/2688-117-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2576-116-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
behavioral1/memory/2676-115-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/memory/2564-113-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/memory/3020-112-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/3000-111-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/memory/1784-109-0x000000013FE20000-0x0000000140174000-memory.dmp	upx
behavioral1/files/0x0006000000016d5f-85.dat	upx
behavioral1/files/0x0006000000016d43-80.dat	upx
behavioral1/files/0x0006000000016d3a-70.dat	upx
behavioral1/files/0x0006000000016d34-65.dat	upx
behavioral1/files/0x0006000000016d20-60.dat	upx
behavioral1/files/0x0006000000016d18-55.dat	upx
behavioral1/files/0x0006000000016d07-50.dat	upx
behavioral1/files/0x0007000000015d93-30.dat	upx
behavioral1/memory/2968-130-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/memory/3044-132-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/memory/3000-133-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/memory/1784-134-0x000000013FE20000-0x0000000140174000-memory.dmp	upx
behavioral1/memory/3020-135-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/2564-136-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/memory/2676-137-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/memory/2576-138-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
behavioral1/memory/2688-139-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2620-140-0x000000013F520000-0x000000013F874000-memory.dmp	upx
behavioral1/memory/2448-141-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/memory/2584-142-0x000000013F630000-0x000000013F984000-memory.dmp	upx
behavioral1/memory/2440-143-0x000000013FF60000-0x00000001402B4000-memory.dmp	upx
behavioral1/memory/2540-145-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/memory/2648-144-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\RpmkRlH.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zGmCsMl.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\awUpzqz.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zgZfrFj.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iqyEQXg.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lTJFrxR.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QDDVhVh.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hUypbMm.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nKRkUaE.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZIOYrba.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PUKuGua.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ebSyWCk.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jGzeYvT.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yCdzqwl.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uOcZLjp.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dUgzKMM.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WaTbhTV.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SMaGjMk.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FzhJBPZ.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JVKRqQY.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Yodnbnu.exe	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 3044	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	29
PID 2968 wrote to memory of 3044	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	29
PID 2968 wrote to memory of 3044	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	29
PID 2968 wrote to memory of 1784	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	30
PID 2968 wrote to memory of 1784	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	30
PID 2968 wrote to memory of 1784	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	30
PID 2968 wrote to memory of 3000	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	31
PID 2968 wrote to memory of 3000	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	31
PID 2968 wrote to memory of 3000	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	31
PID 2968 wrote to memory of 3020	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	32
PID 2968 wrote to memory of 3020	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	32
PID 2968 wrote to memory of 3020	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	32
PID 2968 wrote to memory of 2564	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	33
PID 2968 wrote to memory of 2564	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	33
PID 2968 wrote to memory of 2564	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	33
PID 2968 wrote to memory of 2676	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	34
PID 2968 wrote to memory of 2676	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	34
PID 2968 wrote to memory of 2676	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	34
PID 2968 wrote to memory of 2576	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	35
PID 2968 wrote to memory of 2576	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	35
PID 2968 wrote to memory of 2576	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	35
PID 2968 wrote to memory of 2688	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	36
PID 2968 wrote to memory of 2688	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	36
PID 2968 wrote to memory of 2688	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	36
PID 2968 wrote to memory of 2620	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	37
PID 2968 wrote to memory of 2620	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	37
PID 2968 wrote to memory of 2620	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	37
PID 2968 wrote to memory of 2448	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	38
PID 2968 wrote to memory of 2448	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	38
PID 2968 wrote to memory of 2448	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	38
PID 2968 wrote to memory of 2584	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	39
PID 2968 wrote to memory of 2584	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	39
PID 2968 wrote to memory of 2584	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	39
PID 2968 wrote to memory of 2648	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	40
PID 2968 wrote to memory of 2648	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	40
PID 2968 wrote to memory of 2648	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	40
PID 2968 wrote to memory of 2440	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	41
PID 2968 wrote to memory of 2440	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	41
PID 2968 wrote to memory of 2440	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	41
PID 2968 wrote to memory of 2540	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	42
PID 2968 wrote to memory of 2540	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	42
PID 2968 wrote to memory of 2540	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	42
PID 2968 wrote to memory of 3004	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	43
PID 2968 wrote to memory of 3004	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	43
PID 2968 wrote to memory of 3004	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	43
PID 2968 wrote to memory of 1696	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	44
PID 2968 wrote to memory of 1696	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	44
PID 2968 wrote to memory of 1696	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	44
PID 2968 wrote to memory of 1420	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	45
PID 2968 wrote to memory of 1420	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	45
PID 2968 wrote to memory of 1420	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	45
PID 2968 wrote to memory of 2508	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	46
PID 2968 wrote to memory of 2508	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	46
PID 2968 wrote to memory of 2508	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	46
PID 2968 wrote to memory of 2776	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	47
PID 2968 wrote to memory of 2776	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	47
PID 2968 wrote to memory of 2776	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	47
PID 2968 wrote to memory of 2748	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	48
PID 2968 wrote to memory of 2748	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	48
PID 2968 wrote to memory of 2748	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	48
PID 2968 wrote to memory of 2308	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	49
PID 2968 wrote to memory of 2308	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	49
PID 2968 wrote to memory of 2308	2968	2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_daffa1533f837a6e5c37a98b47a5974f_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\System\lTJFrxR.exe
  C:\Windows\System\lTJFrxR.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\WaTbhTV.exe
  C:\Windows\System\WaTbhTV.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\System\RpmkRlH.exe
  C:\Windows\System\RpmkRlH.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\SMaGjMk.exe
  C:\Windows\System\SMaGjMk.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\FzhJBPZ.exe
  C:\Windows\System\FzhJBPZ.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\JVKRqQY.exe
  C:\Windows\System\JVKRqQY.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\zGmCsMl.exe
  C:\Windows\System\zGmCsMl.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\ZIOYrba.exe
  C:\Windows\System\ZIOYrba.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\PUKuGua.exe
  C:\Windows\System\PUKuGua.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\jGzeYvT.exe
  C:\Windows\System\jGzeYvT.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\yCdzqwl.exe
  C:\Windows\System\yCdzqwl.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\QDDVhVh.exe
  C:\Windows\System\QDDVhVh.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\uOcZLjp.exe
  C:\Windows\System\uOcZLjp.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\ebSyWCk.exe
  C:\Windows\System\ebSyWCk.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\dUgzKMM.exe
  C:\Windows\System\dUgzKMM.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\awUpzqz.exe
  C:\Windows\System\awUpzqz.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\Yodnbnu.exe
  C:\Windows\System\Yodnbnu.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System\hUypbMm.exe
  C:\Windows\System\hUypbMm.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\nKRkUaE.exe
  C:\Windows\System\nKRkUaE.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\iqyEQXg.exe
  C:\Windows\System\iqyEQXg.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\zgZfrFj.exe
  C:\Windows\System\zgZfrFj.exe
  2⤵
  - Executes dropped EXE
  PID:2308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\JVKRqQY.exe

Filesize
5.9MB

MD5
a7f41253bcbc83aec06472db391867cd

SHA1
b9863e899b4b33325e7a04f2d94362b11283f3d9

SHA256
fef60f10e787da0f15e812a058ea53475f144f599a37a4feedd5a9a28cc33fbe

SHA512
e78776c388b61bc1fd10d1959b06ceed843d17c5df3a2ddd4f08345139dde0ec402dd34deeeff7adcfd8575bf65fe50fe6ad11af19ba06fd140b55eec2fb01f9

Download Submit
C:\Windows\system\PUKuGua.exe

Filesize
5.9MB

MD5
967850be0c4f6c6c1bb852491df3380c

SHA1
e394ef78d017bf8871fea0dd9149a6178ea0d606

SHA256
8b9f9fa922db4766274607f4f71ba9183bcb41df2def060f74448e80af3ba413

SHA512
56d1da1f14d8dc97aa64564187da88d87438051c67ecc4351daab5600bd2e70e7e948181fdfe00baf33f25a2d185d7c489a534360a4cb4c764e2a897487868ed

Download Submit
C:\Windows\system\QDDVhVh.exe

Filesize
5.9MB

MD5
9b38956d1699c502109251fae570fb86

SHA1
32ff285ea42166568824a37dc225baa169edc55c

SHA256
73a73e06d1b6b3e002d5f7a3b6b7a9a28bf7387dc18122f19244a576f283bc55

SHA512
2e0b5299113aa1268e2e2bbd74ca9182a9d6c0cfcca095d4b246665db333e64061f1714db264f4855506abfae2386dc55b09784d4d49eaeffc2fb04230e8d6e7

Download Submit
C:\Windows\system\SMaGjMk.exe

Filesize
5.9MB

MD5
c3b7465ad8a30ae10e157f18947b7b30

SHA1
f9be27f684edb7e9698c1214af6906b5a6353661

SHA256
61751a0f200ee5fa3e8714b2155e152c10b5e68a56073a676e97b4ac297f115e

SHA512
26c1f5fbaaec8dd5bdf463682feaa2e701f79f25c49803f5ae20afee337a64497e1ddccda04746ed4486330464de2b2cdc6433fce1f3b55356f8aab9ed7a8490

Download Submit
C:\Windows\system\WaTbhTV.exe

Filesize
5.9MB

MD5
781f8e9485b63cbcace2cf4d7f94099c

SHA1
135cfd2dcec4bdbbe281430ccbf18bd94f97fff1

SHA256
5c9878a425dafce17f3f8f350fb1b65455f1d3c01e23c099eb36af5df8b9b81c

SHA512
70d8d79508ab6beaba8ac5aca1084511fb8797c477764548d5848652f59e7de5341036ab5504f957763be81cfe6ab0e7195b97e355f564032ea9fb2ba6425c9b

Download Submit
C:\Windows\system\Yodnbnu.exe

Filesize
5.9MB

MD5
61fbdd7aeaa73136e71e8fabf5924fa9

SHA1
b2842b8b899335c0ea3b5e1f01375f1daa565039

SHA256
3d36a4a6ac38d12c32c5f8d9f3847254d49a668efc40378b139b6ec5604d6f64

SHA512
d7ffc81440d9f6566e5e12b9267cdc37f3bc6e5f41c35e3d94ab227ef18b0517b6993977919401eeafc7570d98b910976c18004aed3784015d03b14f4d2e7352

Download Submit
C:\Windows\system\ZIOYrba.exe

Filesize
5.9MB

MD5
7cee6f8c607c2b012bd0ab2d2af90eea

SHA1
206d052e89c29f329dcd4b5d0d92e530327b6bc9

SHA256
9a59668a1a159a026577008bd61c2a8329b8286ab50f04e413c5ad3893ba8259

SHA512
3674e38a2067aae7e9d683cf3e4e9ed18ad7f93922f984763d33bd0a4a4265d83e399a408ae7a4ead0a9e81cecfc5b76d3401fcb33cb01ffdb95fe25ec109228

Download Submit
C:\Windows\system\awUpzqz.exe

Filesize
5.9MB

MD5
e240807e9925457a0e308b7e79fb7970

SHA1
627256a90274f05117131a632035738da8e706fd

SHA256
fc1bf63cf7a9f46f5cf8595c81b949f07b9928fdca897d0eb18c5592413454b3

SHA512
88a69066566578a69e38d5cf23c6808bc5e3b1a577d748c4c187dc7b599301e8763c8e156237333a14b027ca0ffaf3517dec73b85b0a143775fe586557c0e879

Download Submit
C:\Windows\system\dUgzKMM.exe

Filesize
5.9MB

MD5
f7a0cda69c6aee2a32f64ce1e5086e15

SHA1
7735be9c5d18dde065a84545c1596d0f6325e0b8

SHA256
a04329d83ea633b364f9e17905c5059121392d597eb6cea3f337082640f495d7

SHA512
c2986c0c463ad3063536f95c121e445958d1efc8210aca645160b33ee6dd34372ddccb667130e5be22c01419894e6c868d10ff6d303ac9751a21a0fd324abc97

Download Submit
C:\Windows\system\ebSyWCk.exe

Filesize
5.9MB

MD5
4f1f8a36aff04ae77f0d442e4610cd1d

SHA1
8ec6070fa2313f123c0a3396792ba91b90744797

SHA256
8ef46dc1267bf2afdc753dbe1f16b1afec6686f69e2d859a32c58d390dd07315

SHA512
9bb996f8b98c7f5c3a33944fd50409d41c1914369ee7b35380dd173bd1c7da120f76fccbc60a29d0127bad037702fe807cf68a350da8b6531fe7b1583608b75c

Download Submit
C:\Windows\system\hUypbMm.exe

Filesize
5.9MB

MD5
8f551ba4c07e8d7e25c416fa422f08ad

SHA1
f8c1f87e936e0af53d31704f91f26889621c9373

SHA256
579011a715b43377fee2142fab43bf7500893c507f90e76808dca71ea7c4e9d0

SHA512
8941bda9caa6dacf3bdd89f822545d5790a12cd74f71487f84795c83e58c07e9ea03ee02f3d544f796b17380232cc7f1c3ab8b8d6acd623b0905cc8dafc59dbe

Download Submit
C:\Windows\system\iqyEQXg.exe

Filesize
5.9MB

MD5
6128a8952411e2084eebf67ebfd515a8

SHA1
68fa46f47001ca723540929d022ecaa4b6f512a7

SHA256
3e8e50d3f96761dfdd9c10a0874d305a1ef7eb80322bbc06039fac072c161a73

SHA512
e90d2ac6fd51c771047929da873985f112c38120b8792d5a43959146d64dc4b7dcb897b771b2ac1c80747eeec18e83501fb9d1ff364543f0eb65da0bceb45b18

Download Submit
C:\Windows\system\jGzeYvT.exe

Filesize
5.9MB

MD5
14e6d693fd66fbec1132e3ebc4dc5492

SHA1
f6708279d4ecc50aa7d02b6da1a6f832527100db

SHA256
02f7a0a4766fa187538825a6580b458e31727a7e782325071bd054bb9dff2bfd

SHA512
0fd3058be7608f367b964bd6c29d6a5523f93a4598c0e603255ce654807dfec55e45e55fcf45a702d2b5fb71cc2114b6f25870a640d1b11f4615e4dd47d9a973

Download Submit
C:\Windows\system\nKRkUaE.exe

Filesize
5.9MB

MD5
c7eaf3a8aa775b5fefe02f327c6491db

SHA1
32a7f7e7c4cd8a34481a9546da515846d3be9769

SHA256
945ab8b424639b1177f1a10ead03a215c05cce40e9e6dff8e1fd68bf4cff9cae

SHA512
4d3853ea2470968db8bbd44541de708ecb303feb0ec52296ca69fab77dde93fffc94049e4323aa3be1655964a27907197826b5443119c3c897fa2c2fa344f100

Download Submit
C:\Windows\system\uOcZLjp.exe

Filesize
5.9MB

MD5
19bd0722ae42300a6ce0a7a78e9d1b1c

SHA1
ec97373088baab726a3c68887e9fcc3f9a87a206

SHA256
9afc85bffb2ebb4f7095c3c1da7b4ab6313a0b1eb9c56aab2791a9d435dac43b

SHA512
5a72017f6720339284a9f4a2e3baa74ec1ca24fac4db4e6c38bdd5d9185e9b0c4a7ac363a970ad3abe9a40712aedc7322ffc27ff90489087c9c807d5b086cf92

Download Submit
C:\Windows\system\yCdzqwl.exe

Filesize
5.9MB

MD5
d6ef00920b5a17824f818c97ee2d7592

SHA1
07488be2c58934f791a1522b8568e37cc3457c8b

SHA256
af4bee64c09e2c5373f6ff4571eb31d848c6447c135a518dd40955a330230bd0

SHA512
cb370c0539da0c000f6d00c5a707b10d6b2b66ce366b736b9c8f18aff018804d1b0272cceea30f8f911dba4e1ed0d8fa265a3e964609340b1ee30640dcbdb409

Download Submit
C:\Windows\system\zGmCsMl.exe

Filesize
5.9MB

MD5
d8d7c9d942ec94fafe4821a54c1c9192

SHA1
ef1261baa70b0eb818f9fae076c7d9126e2a9e1d

SHA256
ad9ecaa4c16e3e32ab701d224590f492329ece9dda1d81de40dc358a8d9f0e8f

SHA512
17771fee311353b8ad5511c22bbf9a6b6abaa3ab01be1b776557f689be326cdabbbbe71588015f749b29e03633170446d28095177081c8d49a3ad6898f22bfa3

Download Submit
C:\Windows\system\zgZfrFj.exe

Filesize
5.9MB

MD5
152e29ae4beef004c335ee5c9cfe72ff

SHA1
b4ec6aa225fbdc1825659edf563b115911424a9a

SHA256
1b2a5dd22268d7209b1919d97077ac89d4d0cb7e4918caa95373e37f872ecee9

SHA512
8ef7d5aa946da536d76f63858705313b5bfad6fab4b12d1a96a0f99d339ae5c36a1968baf97ce7c4a2c3ee62b2c1c86a932ed5c02b684e3f72d626ff5056dcaa

Download Submit
\Windows\system\FzhJBPZ.exe

Filesize
5.9MB

MD5
92f6e201596ce0e002658f5dda0ed0db

SHA1
5cdc171d991e6beb269f1ad6ebc7785c2404e330

SHA256
ce44bc6e6f419a32e67ebe225762a13571ca9a5e1b3053d9544dcd0d6c8daf9b

SHA512
359d591402e1cc3b9e586bea06e4316e4e5e5cd53ae44fb9c420bd7fd8ba6efa9a23ecfbc93b5dd8ce26fd24004aaf5e3f6345be49fc5c4452a33097e45e5259

Download Submit
\Windows\system\RpmkRlH.exe

Filesize
5.9MB

MD5
d629c98dbf191622312952f72a50e158

SHA1
c54fa5e3c0f671783621e43e969b0fba6b29afe2

SHA256
e52fb0a0c2d0a0b1ad55103f8b88d0d06b444381fea68d7eb640b2cefb25b4a6

SHA512
501e48d28db85372cff2527674b95c3a4db6c07d983719f38154cdb39fafa65d38c6cebae62b7dc011df3885ba6899e94b4d9be238af39dfe5525ccfd26f9891

Download Submit
\Windows\system\lTJFrxR.exe

Filesize
5.9MB

MD5
6ceedf8d05242a16f3f371af58e540ca

SHA1
5db1851adce0a02347cd8a9579bd431bbb792c41

SHA256
eca6cbee928b62cd7c77bcae5f3afbf182cfcb75a171f499e093f7eb60b31f1e

SHA512
ddb92a7bd730d65a6bffe2c91743f2d09ce60261b32d8bb6413242a80b6822a480d08bd991e197ae8fd267ea2eb81caea6c1da94b4c299b87f131a31a75551ac

Download Submit
memory/1784-134-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/1784-109-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/2440-127-0x000000013FF60000-0x00000001402B4000-memory.dmp

Filesize
3.3MB

Download
memory/2440-143-0x000000013FF60000-0x00000001402B4000-memory.dmp

Filesize
3.3MB

Download
memory/2448-141-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2448-121-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2540-128-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2540-145-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2564-136-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2564-113-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2576-116-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-138-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-123-0x000000013F630000-0x000000013F984000-memory.dmp

Filesize
3.3MB

Download
memory/2584-142-0x000000013F630000-0x000000013F984000-memory.dmp

Filesize
3.3MB

Download
memory/2620-119-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2620-140-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2648-144-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2648-125-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2676-137-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2676-115-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2688-139-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2688-117-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2968-118-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2968-110-0x0000000002220000-0x0000000002574000-memory.dmp

Filesize
3.3MB

Download
memory/2968-114-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2968-130-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2968-131-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/2968-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2968-108-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/2968-0-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2968-126-0x000000013FF60000-0x00000001402B4000-memory.dmp

Filesize
3.3MB

Download
memory/2968-124-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2968-122-0x000000013F630000-0x000000013F984000-memory.dmp

Filesize
3.3MB

Download
memory/2968-120-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2968-107-0x0000000002220000-0x0000000002574000-memory.dmp

Filesize
3.3MB

Download
memory/3000-133-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/3000-111-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/3020-135-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/3020-112-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/3044-132-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/3044-129-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download