cobaltstrike | 9276146a0daaea319db5b7861006417b8bc1a86051ee8dedd9ae4016549de96d

Analysis

max time kernel
140s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 15:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

60bf0c1a92219729bb9232061c7e9445
SHA1

4bf1388359e5cd539330a6ee421aee3e7a355c30
SHA256

9276146a0daaea319db5b7861006417b8bc1a86051ee8dedd9ae4016549de96d
SHA512

10c9d8947987061888f7d5f864bec9c9c3f78b1a053413943ce0075b396a02e41de760510c974e78429d74fee419d1808e158eb94c81e3ecc8c7a38f79c2324e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibf56utgpPFotBER/mQ32lU4

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b0000000144e4-3.dat	cobalt_reflective_dll
behavioral1/files/0x001500000001471d-10.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014aa2-18.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014b63-21.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014bea-37.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d9b-109.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d87-107.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015ceb-116.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d67-122.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015e3a-128.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d8f-89.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d79-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d56-65.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d07-58.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014f71-57.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014baa-56.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d28-54.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d6f-106.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d5e-105.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d4a-104.dat	cobalt_reflective_dll
behavioral1/files/0x0015000000014726-32.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b0000000144e4-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x001500000001471d-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014aa2-18.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014b63-21.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014bea-37.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d9b-109.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d87-107.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015ceb-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d67-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015e3a-128.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d8f-89.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d79-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d56-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d07-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014f71-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014baa-56.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d28-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d6f-106.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d5e-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d4a-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0015000000014726-32.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 63 IoCs

resource	yara_rule
behavioral1/memory/1032-0-0x000000013FC10000-0x000000013FF61000-memory.dmp	UPX
behavioral1/files/0x000b0000000144e4-3.dat	UPX
behavioral1/memory/2352-9-0x000000013FC30000-0x000000013FF81000-memory.dmp	UPX
behavioral1/memory/1032-7-0x00000000021F0000-0x0000000002541000-memory.dmp	UPX
behavioral1/files/0x001500000001471d-10.dat	UPX
behavioral1/memory/2336-14-0x000000013F210000-0x000000013F561000-memory.dmp	UPX
behavioral1/files/0x0008000000014aa2-18.dat	UPX
behavioral1/memory/2192-20-0x000000013FA60000-0x000000013FDB1000-memory.dmp	UPX
behavioral1/files/0x0007000000014b63-21.dat	UPX
behavioral1/memory/3044-27-0x000000013F940000-0x000000013FC91000-memory.dmp	UPX
behavioral1/files/0x0007000000014bea-37.dat	UPX
behavioral1/files/0x0006000000015d9b-109.dat	UPX
behavioral1/files/0x0006000000015d87-107.dat	UPX
behavioral1/files/0x0007000000015ceb-116.dat	UPX
behavioral1/files/0x0006000000015d67-122.dat	UPX
behavioral1/files/0x0006000000015e3a-128.dat	UPX
behavioral1/files/0x0006000000015d8f-89.dat	UPX
behavioral1/files/0x0006000000015d79-82.dat	UPX
behavioral1/memory/1960-67-0x000000013FE40000-0x0000000140191000-memory.dmp	UPX
behavioral1/files/0x0006000000015d56-65.dat	UPX
behavioral1/files/0x0006000000015d07-58.dat	UPX
behavioral1/files/0x0008000000014f71-57.dat	UPX
behavioral1/files/0x0007000000014baa-56.dat	UPX
behavioral1/files/0x0006000000015d28-54.dat	UPX
behavioral1/memory/1032-40-0x000000013FC10000-0x000000013FF61000-memory.dmp	UPX
behavioral1/files/0x0006000000015d6f-106.dat	UPX
behavioral1/files/0x0006000000015d5e-105.dat	UPX
behavioral1/files/0x0006000000015d4a-104.dat	UPX
behavioral1/memory/2336-99-0x000000013F210000-0x000000013F561000-memory.dmp	UPX
behavioral1/memory/2800-80-0x000000013F570000-0x000000013F8C1000-memory.dmp	UPX
behavioral1/memory/2592-63-0x000000013FD70000-0x00000001400C1000-memory.dmp	UPX
behavioral1/memory/2352-51-0x000000013FC30000-0x000000013FF81000-memory.dmp	UPX
behavioral1/memory/2660-36-0x000000013F130000-0x000000013F481000-memory.dmp	UPX
behavioral1/memory/2192-131-0x000000013FA60000-0x000000013FDB1000-memory.dmp	UPX
behavioral1/files/0x0015000000014726-32.dat	UPX
behavioral1/memory/1032-132-0x000000013FC10000-0x000000013FF61000-memory.dmp	UPX
behavioral1/memory/3044-136-0x000000013F940000-0x000000013FC91000-memory.dmp	UPX
behavioral1/memory/2800-142-0x000000013F570000-0x000000013F8C1000-memory.dmp	UPX
behavioral1/memory/2432-144-0x000000013FA70000-0x000000013FDC1000-memory.dmp	UPX
behavioral1/memory/2480-145-0x000000013F570000-0x000000013F8C1000-memory.dmp	UPX
behavioral1/memory/1400-143-0x000000013FCA0000-0x000000013FFF1000-memory.dmp	UPX
behavioral1/memory/2552-141-0x000000013FD10000-0x0000000140061000-memory.dmp	UPX
behavioral1/memory/1960-140-0x000000013FE40000-0x0000000140191000-memory.dmp	UPX
behavioral1/memory/2712-139-0x000000013F430000-0x000000013F781000-memory.dmp	UPX
behavioral1/memory/2592-138-0x000000013FD70000-0x00000001400C1000-memory.dmp	UPX
behavioral1/memory/2660-137-0x000000013F130000-0x000000013F481000-memory.dmp	UPX
behavioral1/memory/1140-147-0x000000013FCC0000-0x0000000140011000-memory.dmp	UPX
behavioral1/memory/2804-149-0x000000013F720000-0x000000013FA71000-memory.dmp	UPX
behavioral1/memory/1440-153-0x000000013F6C0000-0x000000013FA11000-memory.dmp	UPX
behavioral1/memory/628-152-0x000000013F4B0000-0x000000013F801000-memory.dmp	UPX
behavioral1/memory/2672-151-0x000000013F2F0000-0x000000013F641000-memory.dmp	UPX
behavioral1/memory/2780-150-0x000000013F300000-0x000000013F651000-memory.dmp	UPX
behavioral1/memory/1844-148-0x000000013F710000-0x000000013FA61000-memory.dmp	UPX
behavioral1/memory/1524-146-0x000000013FAC0000-0x000000013FE11000-memory.dmp	UPX
behavioral1/memory/1032-155-0x000000013FC10000-0x000000013FF61000-memory.dmp	UPX
behavioral1/memory/2352-201-0x000000013FC30000-0x000000013FF81000-memory.dmp	UPX
behavioral1/memory/2336-203-0x000000013F210000-0x000000013F561000-memory.dmp	UPX
behavioral1/memory/2192-208-0x000000013FA60000-0x000000013FDB1000-memory.dmp	UPX
behavioral1/memory/2660-220-0x000000013F130000-0x000000013F481000-memory.dmp	UPX
behavioral1/memory/3044-229-0x000000013F940000-0x000000013FC91000-memory.dmp	UPX
behavioral1/memory/1960-231-0x000000013FE40000-0x0000000140191000-memory.dmp	UPX
behavioral1/memory/2800-233-0x000000013F570000-0x000000013F8C1000-memory.dmp	UPX
behavioral1/memory/2592-235-0x000000013FD70000-0x00000001400C1000-memory.dmp	UPX

XMRig Miner payload 34 IoCs

miner

resource	yara_rule
behavioral1/memory/1032-40-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/1032-101-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/1032-100-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/2336-99-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/2352-51-0x000000013FC30000-0x000000013FF81000-memory.dmp	xmrig
behavioral1/memory/2192-131-0x000000013FA60000-0x000000013FDB1000-memory.dmp	xmrig
behavioral1/memory/1032-132-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/3044-136-0x000000013F940000-0x000000013FC91000-memory.dmp	xmrig
behavioral1/memory/2800-142-0x000000013F570000-0x000000013F8C1000-memory.dmp	xmrig
behavioral1/memory/2432-144-0x000000013FA70000-0x000000013FDC1000-memory.dmp	xmrig
behavioral1/memory/2480-145-0x000000013F570000-0x000000013F8C1000-memory.dmp	xmrig
behavioral1/memory/1400-143-0x000000013FCA0000-0x000000013FFF1000-memory.dmp	xmrig
behavioral1/memory/2552-141-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/1960-140-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/2712-139-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/2592-138-0x000000013FD70000-0x00000001400C1000-memory.dmp	xmrig
behavioral1/memory/2660-137-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/1140-147-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2804-149-0x000000013F720000-0x000000013FA71000-memory.dmp	xmrig
behavioral1/memory/1440-153-0x000000013F6C0000-0x000000013FA11000-memory.dmp	xmrig
behavioral1/memory/628-152-0x000000013F4B0000-0x000000013F801000-memory.dmp	xmrig
behavioral1/memory/2672-151-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/2780-150-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/1844-148-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig
behavioral1/memory/1524-146-0x000000013FAC0000-0x000000013FE11000-memory.dmp	xmrig
behavioral1/memory/1032-155-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/2352-201-0x000000013FC30000-0x000000013FF81000-memory.dmp	xmrig
behavioral1/memory/2336-203-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/2192-208-0x000000013FA60000-0x000000013FDB1000-memory.dmp	xmrig
behavioral1/memory/2660-220-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/3044-229-0x000000013F940000-0x000000013FC91000-memory.dmp	xmrig
behavioral1/memory/1960-231-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/2800-233-0x000000013F570000-0x000000013F8C1000-memory.dmp	xmrig
behavioral1/memory/2592-235-0x000000013FD70000-0x00000001400C1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2352	PSaAFDf.exe
2336	AbMaJsN.exe
2192	CzUjYsG.exe
3044	GTzgVhQ.exe
2660	cbLxWMD.exe
2592	EZXTYXJ.exe
1960	ntfDOdr.exe
2800	iPxJipU.exe
2432	OdTfxYi.exe
1524	GwcdjXR.exe
1844	GIznIlS.exe
2780	NaXnCqy.exe
2712	GcjsRdb.exe
628	dBgUbzd.exe
2552	NtaUoep.exe
1400	duWKnHl.exe
2480	upGpHTK.exe
1140	nNCAAAs.exe
2804	WMETSRD.exe
2672	UQWkUkJ.exe
1440	sPNGiZM.exe

Loads dropped DLL 21 IoCs

pid	Process
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1032-0-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/files/0x000b0000000144e4-3.dat	upx
behavioral1/memory/2352-9-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/memory/1032-7-0x00000000021F0000-0x0000000002541000-memory.dmp	upx
behavioral1/files/0x001500000001471d-10.dat	upx
behavioral1/memory/2336-14-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/files/0x0008000000014aa2-18.dat	upx
behavioral1/memory/2192-20-0x000000013FA60000-0x000000013FDB1000-memory.dmp	upx
behavioral1/files/0x0007000000014b63-21.dat	upx
behavioral1/memory/3044-27-0x000000013F940000-0x000000013FC91000-memory.dmp	upx
behavioral1/files/0x0007000000014bea-37.dat	upx
behavioral1/files/0x0006000000015d9b-109.dat	upx
behavioral1/files/0x0006000000015d87-107.dat	upx
behavioral1/files/0x0007000000015ceb-116.dat	upx
behavioral1/files/0x0006000000015d67-122.dat	upx
behavioral1/files/0x0006000000015e3a-128.dat	upx
behavioral1/files/0x0006000000015d8f-89.dat	upx
behavioral1/files/0x0006000000015d79-82.dat	upx
behavioral1/memory/1960-67-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/files/0x0006000000015d56-65.dat	upx
behavioral1/files/0x0006000000015d07-58.dat	upx
behavioral1/files/0x0008000000014f71-57.dat	upx
behavioral1/files/0x0007000000014baa-56.dat	upx
behavioral1/files/0x0006000000015d28-54.dat	upx
behavioral1/memory/1032-40-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/files/0x0006000000015d6f-106.dat	upx
behavioral1/files/0x0006000000015d5e-105.dat	upx
behavioral1/files/0x0006000000015d4a-104.dat	upx
behavioral1/memory/2336-99-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/2800-80-0x000000013F570000-0x000000013F8C1000-memory.dmp	upx
behavioral1/memory/2592-63-0x000000013FD70000-0x00000001400C1000-memory.dmp	upx
behavioral1/memory/2352-51-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/memory/2660-36-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/2192-131-0x000000013FA60000-0x000000013FDB1000-memory.dmp	upx
behavioral1/files/0x0015000000014726-32.dat	upx
behavioral1/memory/1032-132-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/memory/3044-136-0x000000013F940000-0x000000013FC91000-memory.dmp	upx
behavioral1/memory/2800-142-0x000000013F570000-0x000000013F8C1000-memory.dmp	upx
behavioral1/memory/2432-144-0x000000013FA70000-0x000000013FDC1000-memory.dmp	upx
behavioral1/memory/2480-145-0x000000013F570000-0x000000013F8C1000-memory.dmp	upx
behavioral1/memory/1400-143-0x000000013FCA0000-0x000000013FFF1000-memory.dmp	upx
behavioral1/memory/2552-141-0x000000013FD10000-0x0000000140061000-memory.dmp	upx
behavioral1/memory/1960-140-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/memory/2712-139-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/2592-138-0x000000013FD70000-0x00000001400C1000-memory.dmp	upx
behavioral1/memory/2660-137-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/1140-147-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/2804-149-0x000000013F720000-0x000000013FA71000-memory.dmp	upx
behavioral1/memory/1440-153-0x000000013F6C0000-0x000000013FA11000-memory.dmp	upx
behavioral1/memory/628-152-0x000000013F4B0000-0x000000013F801000-memory.dmp	upx
behavioral1/memory/2672-151-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/2780-150-0x000000013F300000-0x000000013F651000-memory.dmp	upx
behavioral1/memory/1844-148-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
behavioral1/memory/1524-146-0x000000013FAC0000-0x000000013FE11000-memory.dmp	upx
behavioral1/memory/1032-155-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/memory/2352-201-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/memory/2336-203-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/2192-208-0x000000013FA60000-0x000000013FDB1000-memory.dmp	upx
behavioral1/memory/2660-220-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/3044-229-0x000000013F940000-0x000000013FC91000-memory.dmp	upx
behavioral1/memory/1960-231-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/memory/2800-233-0x000000013F570000-0x000000013F8C1000-memory.dmp	upx
behavioral1/memory/2592-235-0x000000013FD70000-0x00000001400C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\UQWkUkJ.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sPNGiZM.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GcjsRdb.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iPxJipU.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NaXnCqy.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OdTfxYi.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\upGpHTK.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dBgUbzd.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AbMaJsN.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CzUjYsG.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NtaUoep.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ntfDOdr.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\duWKnHl.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GwcdjXR.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EZXTYXJ.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nNCAAAs.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GIznIlS.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WMETSRD.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PSaAFDf.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GTzgVhQ.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cbLxWMD.exe	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2352	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	29
PID 1032 wrote to memory of 2352	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	29
PID 1032 wrote to memory of 2352	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	29
PID 1032 wrote to memory of 2336	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	30
PID 1032 wrote to memory of 2336	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	30
PID 1032 wrote to memory of 2336	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	30
PID 1032 wrote to memory of 2192	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	31
PID 1032 wrote to memory of 2192	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	31
PID 1032 wrote to memory of 2192	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	31
PID 1032 wrote to memory of 3044	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	32
PID 1032 wrote to memory of 3044	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	32
PID 1032 wrote to memory of 3044	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	32
PID 1032 wrote to memory of 2660	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	33
PID 1032 wrote to memory of 2660	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	33
PID 1032 wrote to memory of 2660	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	33
PID 1032 wrote to memory of 2592	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	34
PID 1032 wrote to memory of 2592	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	34
PID 1032 wrote to memory of 2592	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	34
PID 1032 wrote to memory of 2712	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	35
PID 1032 wrote to memory of 2712	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	35
PID 1032 wrote to memory of 2712	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	35
PID 1032 wrote to memory of 1960	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	36
PID 1032 wrote to memory of 1960	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	36
PID 1032 wrote to memory of 1960	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	36
PID 1032 wrote to memory of 2552	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	37
PID 1032 wrote to memory of 2552	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	37
PID 1032 wrote to memory of 2552	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	37
PID 1032 wrote to memory of 2800	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	38
PID 1032 wrote to memory of 2800	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	38
PID 1032 wrote to memory of 2800	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	38
PID 1032 wrote to memory of 1400	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	39
PID 1032 wrote to memory of 1400	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	39
PID 1032 wrote to memory of 1400	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	39
PID 1032 wrote to memory of 2432	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	40
PID 1032 wrote to memory of 2432	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	40
PID 1032 wrote to memory of 2432	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	40
PID 1032 wrote to memory of 2480	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	41
PID 1032 wrote to memory of 2480	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	41
PID 1032 wrote to memory of 2480	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	41
PID 1032 wrote to memory of 1524	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	42
PID 1032 wrote to memory of 1524	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	42
PID 1032 wrote to memory of 1524	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	42
PID 1032 wrote to memory of 1140	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	43
PID 1032 wrote to memory of 1140	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	43
PID 1032 wrote to memory of 1140	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	43
PID 1032 wrote to memory of 1844	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	44
PID 1032 wrote to memory of 1844	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	44
PID 1032 wrote to memory of 1844	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	44
PID 1032 wrote to memory of 2804	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	45
PID 1032 wrote to memory of 2804	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	45
PID 1032 wrote to memory of 2804	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	45
PID 1032 wrote to memory of 2780	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	46
PID 1032 wrote to memory of 2780	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	46
PID 1032 wrote to memory of 2780	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	46
PID 1032 wrote to memory of 2672	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	47
PID 1032 wrote to memory of 2672	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	47
PID 1032 wrote to memory of 2672	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	47
PID 1032 wrote to memory of 628	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	48
PID 1032 wrote to memory of 628	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	48
PID 1032 wrote to memory of 628	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	48
PID 1032 wrote to memory of 1440	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	49
PID 1032 wrote to memory of 1440	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	49
PID 1032 wrote to memory of 1440	1032	2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_60bf0c1a92219729bb9232061c7e9445_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\System\PSaAFDf.exe
  C:\Windows\System\PSaAFDf.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\AbMaJsN.exe
  C:\Windows\System\AbMaJsN.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\CzUjYsG.exe
  C:\Windows\System\CzUjYsG.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\GTzgVhQ.exe
  C:\Windows\System\GTzgVhQ.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\cbLxWMD.exe
  C:\Windows\System\cbLxWMD.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\EZXTYXJ.exe
  C:\Windows\System\EZXTYXJ.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\GcjsRdb.exe
  C:\Windows\System\GcjsRdb.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\ntfDOdr.exe
  C:\Windows\System\ntfDOdr.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\NtaUoep.exe
  C:\Windows\System\NtaUoep.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\iPxJipU.exe
  C:\Windows\System\iPxJipU.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\duWKnHl.exe
  C:\Windows\System\duWKnHl.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\OdTfxYi.exe
  C:\Windows\System\OdTfxYi.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\upGpHTK.exe
  C:\Windows\System\upGpHTK.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\GwcdjXR.exe
  C:\Windows\System\GwcdjXR.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\nNCAAAs.exe
  C:\Windows\System\nNCAAAs.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\GIznIlS.exe
  C:\Windows\System\GIznIlS.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\WMETSRD.exe
  C:\Windows\System\WMETSRD.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\NaXnCqy.exe
  C:\Windows\System\NaXnCqy.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\UQWkUkJ.exe
  C:\Windows\System\UQWkUkJ.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\dBgUbzd.exe
  C:\Windows\System\dBgUbzd.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\sPNGiZM.exe
  C:\Windows\System\sPNGiZM.exe
  2⤵
  - Executes dropped EXE
  PID:1440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CzUjYsG.exe

Filesize
5.2MB

MD5
f1b0403fba4cf372514644bdb24acdca

SHA1
48052e312e55f4a8cb14e89da28ef3745d26e3dd

SHA256
b045dcf3d458cea4a4347ed022b9f569fe4c8f583c3e483b85496057038b7ea9

SHA512
9b9a61aaa198ac3898e2b9c096783028f19f0d96a9a9df257b116f0aad7badb17f64adc931036336d9fa1adfc4f6fe8e25ec1da6780b1ac5bd4bf674e04bc691

Download Submit
C:\Windows\system\EZXTYXJ.exe

Filesize
5.2MB

MD5
e8ca709c058dcfd51e93073395de25af

SHA1
37ff1ef625ffa2a2439a52dc910f06ff84749662

SHA256
ba5ed17bf560493de7f306f90e1d057521b254bda7918bfeb7d4d1cc77aaa30c

SHA512
c6369ef6c4769d2c9a77c5c06e90314952b54d14b2e25fbd5f9f93ddda36727f85b80df4ac995ec0ecfcefcfd9ed06b579c55007fec506314bd19575a9b03e42

Download Submit
C:\Windows\system\GIznIlS.exe

Filesize
5.2MB

MD5
eadf5d9a003bc1efef289c2c9ab2c0f4

SHA1
391187cea1781e5b65033fae1e1793e507dd0219

SHA256
ce88c51a81bd8bbfde22372bddad46b2dee9efd0d81ab32e903b82f0197fdd8c

SHA512
7464113c577856a5a9e1f01930699d260ed1e522fc0f02c1669f0c473f60da307fd65b9fc61ecf0f91ed6f734f7045ad3a43e765ae6b022baf7546d3b83037f5

Download Submit
C:\Windows\system\GwcdjXR.exe

Filesize
5.2MB

MD5
8f17a61f1e015b0ae3c03d28fdbcc8ef

SHA1
291b977547f8481579b9fbc5bf5858b2e8b1add8

SHA256
9913abef6a30d29dd76423f211765000495c9c5c59166586908c0c936027eb11

SHA512
beadb600ec3e28c2fce8add1bc8d7b5e089352000b9e154e3e04f132751eced1f9cd1e59e93c9b100bee010dd45cf6fc91b33a3d930ed2491086f4fb25806224

Download Submit
C:\Windows\system\NaXnCqy.exe

Filesize
5.2MB

MD5
3d9b706b80f9b5a3693c1f652fa41cea

SHA1
473ad98b7070b6132fcdd70c768b5502e1d97b9d

SHA256
ac5de9a7c915e0922a5bf4085e4dbdb4a8c125cc17a54f730131792eb0aa17c6

SHA512
5e621c3ca658726a985dd3e211e79840b03fc79377b07b778016c997932f49bb187c4c864bf68acf6e03ce3b065dfd992d93d321fa0f80fd54cf6f5660195fb0

Download Submit
C:\Windows\system\NtaUoep.exe

Filesize
5.2MB

MD5
1ab64ed850b59ae06b8ab4b026cce06b

SHA1
acbc7bbafaa87f364d73a1d3aa8ed477dcf0bcd6

SHA256
17d072d9c58d80ec290dde65b746ee93579d4d17b898b688aa86a0e3de709110

SHA512
8368893966aef6d866a3ae26269c5437b1b6ea9972271ddbc51df0f1cd554c47d0f32d783bfc84390c62a489cbe759e19adb1a5756c612f9c73ff4ed19e73556

Download Submit
C:\Windows\system\OdTfxYi.exe

Filesize
5.2MB

MD5
59157dbca2122b77a797d36ebe4e3c78

SHA1
516cea84cd29b2a0bcf70686dcc3fa4f274df386

SHA256
01daae427d7270c0a26809bbcd7af9d846f731ca84cc94c576ca5fd92f09f894

SHA512
20250a22a1c50629b682a37333476c177026f2c1a6ccd66633f6a1f09e8831cfdd74bcfb6b19dd28d463c27939239a6bddbea307aed4fb85f7cf68c15618b292

Download Submit
C:\Windows\system\cbLxWMD.exe

Filesize
5.2MB

MD5
4c1b45880e28a5da75d9884396fee805

SHA1
a84eb4dd86255b0cd822e03ec4480136685ea873

SHA256
b6035f5a9744753c132a2ae0ad1fd594f7be14bce4386ae138a0cafdf465ec55

SHA512
aa42f397ed033f9b4691306b745ccb60c5c7bc1b432bedec7b1a2693455f534b776b8df91d51f39b983178115637acb50f54b7bc8d477012010f3742c3568f70

Download Submit
C:\Windows\system\dBgUbzd.exe

Filesize
5.2MB

MD5
7749049039c3657f93fa122211a59f7e

SHA1
78ac832f3c7d552af44ea6a9f0739a4343d2e98a

SHA256
ab07487b26a1943f28d677767d6c3854991158aaa7889d2a398fb7e62af16218

SHA512
2a3669e49c402dd430cdb329740b0f96497462fe70e0280d05b3809bf97ddf14a00c61ea339885526893ca9e948dd990ad17ec78117702b7c553f0405a5bf4b1

Download Submit
C:\Windows\system\iPxJipU.exe

Filesize
5.2MB

MD5
93800c722eed9a6671e36a5b7cf7d046

SHA1
83eb108a43f591d8d8b76eb75f64f6c1a1613fa5

SHA256
fdd98513fbf07dc291d006331c19963698ac7c87af08634d466beb09af281f1e

SHA512
c99e850835fb6860198df3d5699ebb7bc1fe30045b9972e2def1b6776f6c16c25f0d069513e147705048807dbf50d7c5b147e55caa589d4bbf13f5d1bf34ebff

Download Submit
C:\Windows\system\nNCAAAs.exe

Filesize
5.2MB

MD5
f2a049c9483a7af10091e6087f803b25

SHA1
6d770364c86f693ae55e741d995b27a7bce6e50b

SHA256
d5434d7673dbcbb287c0e1e3f0dbb1622aa1028284df58ec2f471864ab8b1d97

SHA512
abd5f78259c1b28eb1ac7350de065b1c8e0c1e4f66c9434f075716853ca18be89dd35d6e6de50a1d102b56eb5cbe6fa0ad3eada1f10117337fd3ed63a9390455

Download Submit
C:\Windows\system\ntfDOdr.exe

Filesize
5.2MB

MD5
54f0f8a4851e6066b4a2bcc4b644e5fe

SHA1
2e6d93b2458d9203c4c4120a0cacabd4bf310a6f

SHA256
b76858367937f6204e61e40f64ed5168f6f98999d3fdde20af28756f40ed98e1

SHA512
d8f28922074ac296c17fa7ce0b9d98790d6ef6eeac1c35ceb01181d0936ff63f82638effea46688ebc8b1861d6618b01a0251faee443de93099ed58164c1daaf

Download Submit
C:\Windows\system\sPNGiZM.exe

Filesize
5.2MB

MD5
f7f029b555b03c596fb1296c9e2ac57b

SHA1
4859923587e007c4525bcd696196dab3ed58096b

SHA256
8223aaa8eaaf95bd43936c3a3f07ab97997832c8a69f54083a17fea3ac8204db

SHA512
a082a3b046d03a507c04b6f3788ae2362a445a5243a3d44c6317447188385f348f4d87d7972c24798e84a444f7b9288e31d6e47569f66578e1c4a6f60c10b899

Download Submit
\Windows\system\AbMaJsN.exe

Filesize
5.2MB

MD5
dac5764699b6f258a41dfe4b1000ee50

SHA1
fb77830fad05dd66f971775c9ccf2e998723cd2e

SHA256
7360ff8613c97a5a02ded6c0e1c3a5fbad971d2938e0bfa55a18eb76b07cd545

SHA512
44c7a2b5a6139b5848b2fb1712f083108dc8349630d15107e201f22b65c047a448419b8ec9fe447e5e177ee72b21d5c5e62f1fe94c1084d2d0bd7e4975f72e33

Download Submit
\Windows\system\GTzgVhQ.exe

Filesize
5.2MB

MD5
422949ba22c8f8fb9e80ad81db06e48e

SHA1
6e9710a0500827a9cef1cfb0ed5109140a818481

SHA256
3e63d7ba7b8bf5e010326d0fe4faaa1dcea417993aa4b782d6b27cc3acf8988c

SHA512
4f11ba01b1edb3dd1f182e2498982979707336418b7219f0db11bf483ad5908dde56c87caec82c3c80fb33df83e53a3a8b3c4d0d71674b395a19e03c7d16ca10

Download Submit
\Windows\system\GcjsRdb.exe

Filesize
5.2MB

MD5
51a9e6cb0660dbe2109a20eff1bef0eb

SHA1
1e41c96736a4c74ce9f7a313431e0097093763cb

SHA256
90fd9e55f50edb76f0a811506fc9fd239f116d2ab2e318e231af43bc9026b236

SHA512
470464d48e6a9d23e8b9ec30fd1943ac3ab876a126cdb7c1fa73095d6ebe225c4c9aaff1445ee5037b1bbee7b16ebf721287c2670b646dc035d210ce513c18d6

Download Submit
\Windows\system\PSaAFDf.exe

Filesize
5.2MB

MD5
baaf1804d010919bb5841df3c00d3942

SHA1
d8c59ca1173d7354aebb6554778cf8d6f787014d

SHA256
1e3cc9566f611d081d27ad20f7839c1492965bb7a214580b5ce66a9e3fe921e8

SHA512
e03562b95c69c0597895fadacd018ac56becba44424f0c9af0960ae8670dfdfeb1f0be0b2b4ce906c0b3d3f0d9f8d1b498440298e414e873e3c23ce59d2a3a37

Download Submit
\Windows\system\UQWkUkJ.exe

Filesize
5.2MB

MD5
bd454601aa75ae4d4294ed83f7b1b13a

SHA1
d6a2d432c6feb763440d527805219841c7d6e080

SHA256
b7614ede596bfc9fe31b7e98182e5f97fd93dad9f4f5605ffcea9cd55d9b547a

SHA512
aace620171bfff2b6d43e790f4e8b059f87f38e5ebde129e4070538a430db2264e2a6526e8afa35d2b5cc39d03cf4a402736ea2400a64adedcc930fedccf945e

Download Submit
\Windows\system\WMETSRD.exe

Filesize
5.2MB

MD5
0fbff03a445a7e50d1beb690bcf2d84c

SHA1
33499b5a841bc3d8cfdf2bc919af252b49c9cbca

SHA256
639ffa5edb88fb790ee4f561c3b351093cacdb78ce65ad7ca29bcfe6b4888adb

SHA512
8e7c0364d7c6b353e9da1e2d0fce33eb0c1f5740fa6d8b3c4cf15fde215e3bf7881d347189befe8c5f8681f14634fc3cf8b44a6fc58d06ba29b903554667732c

Download Submit
\Windows\system\duWKnHl.exe

Filesize
5.2MB

MD5
0daf646a3ed02b7a1633056e9052bbc5

SHA1
ed6ab92db160ab3892015bc6d39e7b695c2c0b6b

SHA256
5feff20f8c7098f77cdadad0dce42a0b9a0e5e52b92aedcd3eb6846e3cee0880

SHA512
203df71009de9906178038c662871416e10f8f89223d50fd690d05d591ddf79dd4933f94fe7dc83b0d918c08ee0494ed2bdb751187b632eae0fd91e21e521eb0

Download Submit
\Windows\system\upGpHTK.exe

Filesize
5.2MB

MD5
8770a1ac20387d5f353ace97e2f0fcbb

SHA1
94f3d8ec5be5622a9dc5afaea54a3809716ab175

SHA256
05b0ed6bafa82ed4ac7e7cee67e6d471c2fb1cc7da296a104ac6a8d11ec21312

SHA512
de2bcc4be84ebde4889d660cb3926935ad75c12d52374ce226601942f3148c56d1c40102eb86de0ba6b4433a01391011e14de6c2a7188a5b2bcea448436f169c

Download Submit
memory/628-152-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/1032-98-0x000000013F720000-0x000000013FA71000-memory.dmp

Filesize
3.3MB

Download
memory/1032-1-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download
memory/1032-85-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/1032-60-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1032-103-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/1032-177-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/1032-22-0x00000000021F0000-0x0000000002541000-memory.dmp

Filesize
3.3MB

Download
memory/1032-19-0x00000000021F0000-0x0000000002541000-memory.dmp

Filesize
3.3MB

Download
memory/1032-48-0x00000000021F0000-0x0000000002541000-memory.dmp

Filesize
3.3MB

Download
memory/1032-40-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/1032-155-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/1032-154-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/1032-7-0x00000000021F0000-0x0000000002541000-memory.dmp

Filesize
3.3MB

Download
memory/1032-102-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/1032-101-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/1032-100-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/1032-132-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/1032-0-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/1032-97-0x00000000021F0000-0x0000000002541000-memory.dmp

Filesize
3.3MB

Download
memory/1032-130-0x00000000021F0000-0x0000000002541000-memory.dmp

Filesize
3.3MB

Download
memory/1140-147-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/1400-143-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

Filesize
3.3MB

Download
memory/1440-153-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/1524-146-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/1844-148-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/1960-231-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/1960-140-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/1960-67-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/2192-208-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2192-131-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2192-20-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-203-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2336-99-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2336-14-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2352-201-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2352-9-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2352-51-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2432-144-0x000000013FA70000-0x000000013FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/2480-145-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2552-141-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2592-63-0x000000013FD70000-0x00000001400C1000-memory.dmp

Filesize
3.3MB

Download
memory/2592-138-0x000000013FD70000-0x00000001400C1000-memory.dmp

Filesize
3.3MB

Download
memory/2592-235-0x000000013FD70000-0x00000001400C1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-137-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2660-36-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2660-220-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2672-151-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2712-139-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2780-150-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/2800-233-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2800-142-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2800-80-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2804-149-0x000000013F720000-0x000000013FA71000-memory.dmp

Filesize
3.3MB

Download
memory/3044-229-0x000000013F940000-0x000000013FC91000-memory.dmp

Filesize
3.3MB

Download
memory/3044-27-0x000000013F940000-0x000000013FC91000-memory.dmp

Filesize
3.3MB

Download
memory/3044-136-0x000000013F940000-0x000000013FC91000-memory.dmp

Filesize
3.3MB

Download