cobaltstrike | b218d86be1fedae2d797031f99246aab2959470fad548426d9d0b619fe9a4dc4

Analysis

max time kernel
137s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

5a2e6ce520fb33fada7eb5729843e515
SHA1

0ecad18a5e7f0a721435aa284958720d775d350a
SHA256

b218d86be1fedae2d797031f99246aab2959470fad548426d9d0b619fe9a4dc4
SHA512

769d1ef8a5f43390b37bde35b2f60fa25906b8c18f9bf6a8a573a2b4cc246725937b662b9aa1eb5fea257bd32f087c0fe4d59d2044636b86cad4047962d5375a
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUJ:Q+856utgpPF8u/7J

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c00000001444f-3.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000149ea-12.dat	cobalt_reflective_dll
behavioral1/files/0x0035000000014701-16.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014b12-25.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014c25-31.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014e5a-38.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015136-44.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015ca5-49.dat	cobalt_reflective_dll
behavioral1/files/0x003500000001470b-53.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cad-71.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cf7-107.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d6e-123.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015f9e-130.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015f1b-127.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d5d-117.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d06-112.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cec-101.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cca-86.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cdb-83.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cc1-74.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cb9-70.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001444f-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000149ea-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0035000000014701-16.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014b12-25.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014c25-31.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014e5a-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015136-44.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015ca5-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x003500000001470b-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cad-71.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cf7-107.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d6e-123.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015f9e-130.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015f1b-127.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d5d-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d06-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cec-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cca-86.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cdb-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cc1-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cb9-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 52 IoCs

resource	yara_rule
behavioral1/memory/2964-0-0x000000013F330000-0x000000013F684000-memory.dmp	UPX
behavioral1/files/0x000c00000001444f-3.dat	UPX
behavioral1/files/0x00070000000149ea-12.dat	UPX
behavioral1/files/0x0035000000014701-16.dat	UPX
behavioral1/memory/2632-22-0x000000013FB30000-0x000000013FE84000-memory.dmp	UPX
behavioral1/memory/2552-20-0x000000013F4E0000-0x000000013F834000-memory.dmp	UPX
behavioral1/memory/2044-14-0x000000013FE80000-0x00000001401D4000-memory.dmp	UPX
behavioral1/files/0x0007000000014b12-25.dat	UPX
behavioral1/memory/2520-33-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/files/0x0007000000014c25-31.dat	UPX
behavioral1/memory/1280-35-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/files/0x0007000000014e5a-38.dat	UPX
behavioral1/files/0x0009000000015136-44.dat	UPX
behavioral1/memory/2724-46-0x000000013F950000-0x000000013FCA4000-memory.dmp	UPX
behavioral1/memory/2948-48-0x000000013F3B0000-0x000000013F704000-memory.dmp	UPX
behavioral1/files/0x0007000000015ca5-49.dat	UPX
behavioral1/files/0x003500000001470b-53.dat	UPX
behavioral1/memory/2044-66-0x000000013FE80000-0x00000001401D4000-memory.dmp	UPX
behavioral1/files/0x0006000000015cad-71.dat	UPX
behavioral1/memory/2524-82-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2532-89-0x000000013FC90000-0x000000013FFE4000-memory.dmp	UPX
behavioral1/memory/2688-98-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2772-97-0x000000013F180000-0x000000013F4D4000-memory.dmp	UPX
behavioral1/memory/2464-96-0x000000013FDA0000-0x00000001400F4000-memory.dmp	UPX
behavioral1/memory/2164-91-0x000000013F640000-0x000000013F994000-memory.dmp	UPX
behavioral1/files/0x0006000000015cf7-107.dat	UPX
behavioral1/files/0x0006000000015d6e-123.dat	UPX
behavioral1/files/0x0006000000015f9e-130.dat	UPX
behavioral1/files/0x0006000000015f1b-127.dat	UPX
behavioral1/files/0x0006000000015d5d-117.dat	UPX
behavioral1/files/0x0006000000015d06-112.dat	UPX
behavioral1/files/0x0006000000015cec-101.dat	UPX
behavioral1/files/0x0006000000015cca-86.dat	UPX
behavioral1/memory/2428-84-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/files/0x0006000000015cdb-83.dat	UPX
behavioral1/files/0x0006000000015cc1-74.dat	UPX
behavioral1/files/0x0006000000015cb9-70.dat	UPX
behavioral1/memory/2964-57-0x000000013F330000-0x000000013F684000-memory.dmp	UPX
behavioral1/memory/2044-135-0x000000013FE80000-0x00000001401D4000-memory.dmp	UPX
behavioral1/memory/2552-136-0x000000013F4E0000-0x000000013F834000-memory.dmp	UPX
behavioral1/memory/2632-137-0x000000013FB30000-0x000000013FE84000-memory.dmp	UPX
behavioral1/memory/2520-138-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/memory/1280-139-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/2724-140-0x000000013F950000-0x000000013FCA4000-memory.dmp	UPX
behavioral1/memory/2948-141-0x000000013F3B0000-0x000000013F704000-memory.dmp	UPX
behavioral1/memory/2524-142-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2428-143-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/memory/2164-144-0x000000013F640000-0x000000013F994000-memory.dmp	UPX
behavioral1/memory/2532-145-0x000000013FC90000-0x000000013FFE4000-memory.dmp	UPX
behavioral1/memory/2464-147-0x000000013FDA0000-0x00000001400F4000-memory.dmp	UPX
behavioral1/memory/2772-146-0x000000013F180000-0x000000013F4D4000-memory.dmp	UPX
behavioral1/memory/2688-148-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX

XMRig Miner payload 54 IoCs

miner

resource	yara_rule
behavioral1/memory/2964-0-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
behavioral1/files/0x000c00000001444f-3.dat	xmrig
behavioral1/files/0x00070000000149ea-12.dat	xmrig
behavioral1/files/0x0035000000014701-16.dat	xmrig
behavioral1/memory/2632-22-0x000000013FB30000-0x000000013FE84000-memory.dmp	xmrig
behavioral1/memory/2552-20-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2044-14-0x000000013FE80000-0x00000001401D4000-memory.dmp	xmrig
behavioral1/files/0x0007000000014b12-25.dat	xmrig
behavioral1/memory/2520-33-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/files/0x0007000000014c25-31.dat	xmrig
behavioral1/memory/1280-35-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/files/0x0007000000014e5a-38.dat	xmrig
behavioral1/files/0x0009000000015136-44.dat	xmrig
behavioral1/memory/2724-46-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2948-48-0x000000013F3B0000-0x000000013F704000-memory.dmp	xmrig
behavioral1/files/0x0007000000015ca5-49.dat	xmrig
behavioral1/files/0x003500000001470b-53.dat	xmrig
behavioral1/memory/2044-66-0x000000013FE80000-0x00000001401D4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cad-71.dat	xmrig
behavioral1/memory/2524-82-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2532-89-0x000000013FC90000-0x000000013FFE4000-memory.dmp	xmrig
behavioral1/memory/2964-92-0x00000000023F0000-0x0000000002744000-memory.dmp	xmrig
behavioral1/memory/2688-98-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2772-97-0x000000013F180000-0x000000013F4D4000-memory.dmp	xmrig
behavioral1/memory/2464-96-0x000000013FDA0000-0x00000001400F4000-memory.dmp	xmrig
behavioral1/memory/2164-91-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cf7-107.dat	xmrig
behavioral1/files/0x0006000000015d6e-123.dat	xmrig
behavioral1/files/0x0006000000015f9e-130.dat	xmrig
behavioral1/files/0x0006000000015f1b-127.dat	xmrig
behavioral1/files/0x0006000000015d5d-117.dat	xmrig
behavioral1/files/0x0006000000015d06-112.dat	xmrig
behavioral1/files/0x0006000000015cec-101.dat	xmrig
behavioral1/files/0x0006000000015cca-86.dat	xmrig
behavioral1/memory/2964-85-0x000000013FDA0000-0x00000001400F4000-memory.dmp	xmrig
behavioral1/memory/2428-84-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cdb-83.dat	xmrig
behavioral1/files/0x0006000000015cc1-74.dat	xmrig
behavioral1/files/0x0006000000015cb9-70.dat	xmrig
behavioral1/memory/2964-57-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
behavioral1/memory/2044-135-0x000000013FE80000-0x00000001401D4000-memory.dmp	xmrig
behavioral1/memory/2552-136-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2632-137-0x000000013FB30000-0x000000013FE84000-memory.dmp	xmrig
behavioral1/memory/2520-138-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/1280-139-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/2724-140-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2948-141-0x000000013F3B0000-0x000000013F704000-memory.dmp	xmrig
behavioral1/memory/2524-142-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2428-143-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2164-144-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/memory/2532-145-0x000000013FC90000-0x000000013FFE4000-memory.dmp	xmrig
behavioral1/memory/2464-147-0x000000013FDA0000-0x00000001400F4000-memory.dmp	xmrig
behavioral1/memory/2772-146-0x000000013F180000-0x000000013F4D4000-memory.dmp	xmrig
behavioral1/memory/2688-148-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2044	iRfgMzB.exe
2552	ljWTXfj.exe
2632	FdZmLdA.exe
2520	HdcaJXk.exe
1280	tsZqDdB.exe
2724	xsoBMOH.exe
2948	PsKiUkg.exe
2524	hsoIazQ.exe
2428	qDNaMUa.exe
2464	xvBdXBp.exe
2532	BdHtLTY.exe
2164	lzjjQBG.exe
2772	PipQyAX.exe
2688	psWJsIP.exe
2388	esnSKaR.exe
2140	cIyECpM.exe
1360	yDADpUE.exe
2400	orCqatn.exe
1848	yOJQYNV.exe
1588	OYGLNQa.exe
1444	YPXiKpW.exe

Loads dropped DLL 21 IoCs

pid	Process
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2964-0-0x000000013F330000-0x000000013F684000-memory.dmp	upx
behavioral1/files/0x000c00000001444f-3.dat	upx
behavioral1/files/0x00070000000149ea-12.dat	upx
behavioral1/files/0x0035000000014701-16.dat	upx
behavioral1/memory/2632-22-0x000000013FB30000-0x000000013FE84000-memory.dmp	upx
behavioral1/memory/2552-20-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/2044-14-0x000000013FE80000-0x00000001401D4000-memory.dmp	upx
behavioral1/files/0x0007000000014b12-25.dat	upx
behavioral1/memory/2520-33-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/files/0x0007000000014c25-31.dat	upx
behavioral1/memory/1280-35-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/files/0x0007000000014e5a-38.dat	upx
behavioral1/files/0x0009000000015136-44.dat	upx
behavioral1/memory/2724-46-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2948-48-0x000000013F3B0000-0x000000013F704000-memory.dmp	upx
behavioral1/files/0x0007000000015ca5-49.dat	upx
behavioral1/files/0x003500000001470b-53.dat	upx
behavioral1/memory/2044-66-0x000000013FE80000-0x00000001401D4000-memory.dmp	upx
behavioral1/files/0x0006000000015cad-71.dat	upx
behavioral1/memory/2524-82-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2532-89-0x000000013FC90000-0x000000013FFE4000-memory.dmp	upx
behavioral1/memory/2964-94-0x00000000023F0000-0x0000000002744000-memory.dmp	upx
behavioral1/memory/2688-98-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2772-97-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx
behavioral1/memory/2464-96-0x000000013FDA0000-0x00000001400F4000-memory.dmp	upx
behavioral1/memory/2164-91-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/files/0x0006000000015cf7-107.dat	upx
behavioral1/files/0x0006000000015d6e-123.dat	upx
behavioral1/files/0x0006000000015f9e-130.dat	upx
behavioral1/files/0x0006000000015f1b-127.dat	upx
behavioral1/files/0x0006000000015d5d-117.dat	upx
behavioral1/files/0x0006000000015d06-112.dat	upx
behavioral1/files/0x0006000000015cec-101.dat	upx
behavioral1/files/0x0006000000015cca-86.dat	upx
behavioral1/memory/2428-84-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/files/0x0006000000015cdb-83.dat	upx
behavioral1/files/0x0006000000015cc1-74.dat	upx
behavioral1/files/0x0006000000015cb9-70.dat	upx
behavioral1/memory/2964-57-0x000000013F330000-0x000000013F684000-memory.dmp	upx
behavioral1/memory/2044-135-0x000000013FE80000-0x00000001401D4000-memory.dmp	upx
behavioral1/memory/2552-136-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/2632-137-0x000000013FB30000-0x000000013FE84000-memory.dmp	upx
behavioral1/memory/2520-138-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/memory/1280-139-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/2724-140-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2948-141-0x000000013F3B0000-0x000000013F704000-memory.dmp	upx
behavioral1/memory/2524-142-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2428-143-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/2164-144-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/memory/2532-145-0x000000013FC90000-0x000000013FFE4000-memory.dmp	upx
behavioral1/memory/2464-147-0x000000013FDA0000-0x00000001400F4000-memory.dmp	upx
behavioral1/memory/2772-146-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx
behavioral1/memory/2688-148-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\xvBdXBp.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yDADpUE.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yOJQYNV.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OYGLNQa.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tsZqDdB.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BdHtLTY.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FdZmLdA.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HdcaJXk.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xsoBMOH.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qDNaMUa.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iRfgMzB.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ljWTXfj.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\orCqatn.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\esnSKaR.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cIyECpM.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lzjjQBG.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\psWJsIP.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PipQyAX.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YPXiKpW.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PsKiUkg.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hsoIazQ.exe	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2044	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	29
PID 2964 wrote to memory of 2044	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	29
PID 2964 wrote to memory of 2044	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	29
PID 2964 wrote to memory of 2552	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	30
PID 2964 wrote to memory of 2552	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	30
PID 2964 wrote to memory of 2552	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	30
PID 2964 wrote to memory of 2632	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	31
PID 2964 wrote to memory of 2632	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	31
PID 2964 wrote to memory of 2632	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	31
PID 2964 wrote to memory of 2520	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	32
PID 2964 wrote to memory of 2520	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	32
PID 2964 wrote to memory of 2520	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	32
PID 2964 wrote to memory of 1280	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	33
PID 2964 wrote to memory of 1280	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	33
PID 2964 wrote to memory of 1280	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	33
PID 2964 wrote to memory of 2724	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	34
PID 2964 wrote to memory of 2724	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	34
PID 2964 wrote to memory of 2724	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	34
PID 2964 wrote to memory of 2948	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	35
PID 2964 wrote to memory of 2948	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	35
PID 2964 wrote to memory of 2948	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	35
PID 2964 wrote to memory of 2524	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	36
PID 2964 wrote to memory of 2524	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	36
PID 2964 wrote to memory of 2524	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	36
PID 2964 wrote to memory of 2428	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	37
PID 2964 wrote to memory of 2428	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	37
PID 2964 wrote to memory of 2428	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	37
PID 2964 wrote to memory of 2532	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	38
PID 2964 wrote to memory of 2532	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	38
PID 2964 wrote to memory of 2532	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	38
PID 2964 wrote to memory of 2464	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	39
PID 2964 wrote to memory of 2464	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	39
PID 2964 wrote to memory of 2464	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	39
PID 2964 wrote to memory of 2164	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	40
PID 2964 wrote to memory of 2164	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	40
PID 2964 wrote to memory of 2164	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	40
PID 2964 wrote to memory of 2688	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	41
PID 2964 wrote to memory of 2688	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	41
PID 2964 wrote to memory of 2688	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	41
PID 2964 wrote to memory of 2772	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	42
PID 2964 wrote to memory of 2772	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	42
PID 2964 wrote to memory of 2772	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	42
PID 2964 wrote to memory of 2388	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	43
PID 2964 wrote to memory of 2388	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	43
PID 2964 wrote to memory of 2388	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	43
PID 2964 wrote to memory of 2140	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	44
PID 2964 wrote to memory of 2140	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	44
PID 2964 wrote to memory of 2140	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	44
PID 2964 wrote to memory of 1360	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	45
PID 2964 wrote to memory of 1360	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	45
PID 2964 wrote to memory of 1360	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	45
PID 2964 wrote to memory of 2400	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	46
PID 2964 wrote to memory of 2400	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	46
PID 2964 wrote to memory of 2400	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	46
PID 2964 wrote to memory of 1848	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	47
PID 2964 wrote to memory of 1848	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	47
PID 2964 wrote to memory of 1848	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	47
PID 2964 wrote to memory of 1588	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	48
PID 2964 wrote to memory of 1588	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	48
PID 2964 wrote to memory of 1588	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	48
PID 2964 wrote to memory of 1444	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	49
PID 2964 wrote to memory of 1444	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	49
PID 2964 wrote to memory of 1444	2964	2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_5a2e6ce520fb33fada7eb5729843e515_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\System\iRfgMzB.exe
  C:\Windows\System\iRfgMzB.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\ljWTXfj.exe
  C:\Windows\System\ljWTXfj.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\FdZmLdA.exe
  C:\Windows\System\FdZmLdA.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\HdcaJXk.exe
  C:\Windows\System\HdcaJXk.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\tsZqDdB.exe
  C:\Windows\System\tsZqDdB.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System\xsoBMOH.exe
  C:\Windows\System\xsoBMOH.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\PsKiUkg.exe
  C:\Windows\System\PsKiUkg.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\hsoIazQ.exe
  C:\Windows\System\hsoIazQ.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\qDNaMUa.exe
  C:\Windows\System\qDNaMUa.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\BdHtLTY.exe
  C:\Windows\System\BdHtLTY.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\xvBdXBp.exe
  C:\Windows\System\xvBdXBp.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System\lzjjQBG.exe
  C:\Windows\System\lzjjQBG.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\psWJsIP.exe
  C:\Windows\System\psWJsIP.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\PipQyAX.exe
  C:\Windows\System\PipQyAX.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\esnSKaR.exe
  C:\Windows\System\esnSKaR.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\cIyECpM.exe
  C:\Windows\System\cIyECpM.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\yDADpUE.exe
  C:\Windows\System\yDADpUE.exe
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\System\orCqatn.exe
  C:\Windows\System\orCqatn.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\yOJQYNV.exe
  C:\Windows\System\yOJQYNV.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\OYGLNQa.exe
  C:\Windows\System\OYGLNQa.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\YPXiKpW.exe
  C:\Windows\System\YPXiKpW.exe
  2⤵
  - Executes dropped EXE
  PID:1444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BdHtLTY.exe

Filesize
5.9MB

MD5
8a42b1c82d61f12c2a2852a0eee61c5c

SHA1
07edd8d6a18175d60245d6968ea025242fb3f439

SHA256
8359738e55b2788408d94354d1a38337eedbf727a975f71c7632b30564c8dd45

SHA512
9b776b37fb4f79eb0375302463f3fd3ac0ca029e10272e0b6dd03c999af51bed706324d4541c48b32c195b0c4ff663b3ec7b5389893909c8685fe3402d38379f

Download Submit
C:\Windows\system\HdcaJXk.exe

Filesize
5.9MB

MD5
079c32b0b0df2859b0bd5d57c8814d59

SHA1
41e64d752c7c714e0c2cb018c40e23e7b96855d5

SHA256
cd6307d8a545162d0ed52319141db4dd03d440104ca960e7335aebf85db8dca5

SHA512
8c35dcab5566af5a0b1f178776a384f64908e686dc744edf21c2399b2ec3f3af041221408ce09a3d9ddef6bf39345f41c177cd78c4e8b94f8849374f8c2978e3

Download Submit
C:\Windows\system\OYGLNQa.exe

Filesize
5.9MB

MD5
1c10eb8f7c8ab3dd6a4fbe0f94ed013b

SHA1
a7500aff9b68a594866d452d5f7ec96d7487668f

SHA256
f9da268410a196ce7584a3539bfdcb9deb930b13b1836f8fe4bd5789661901f4

SHA512
f132effa5b04615d2c325211234c78880f39b5c5579873ae02ff66d0e9fdf527f921edc685b4c0bd3401999a972b280974c97d141a3c0223e9c380425bdbf3a5

Download Submit
C:\Windows\system\PipQyAX.exe

Filesize
5.9MB

MD5
c81536c43c26a7ec162a2de538cc1620

SHA1
bb6120ee88ebec4638e9a67a4d8ed6e935ae5e61

SHA256
d15f18d3b50c31094002f6c247ab9aca617c859ca789e479a80f1337294816cc

SHA512
d4d468fb99e6bb53e97d66cdc394918b06fa2eead48ac3096662dfbc25dacd21efb39dcbb6d12eca0d724531e262c1e00c470cf7490d63134e490b80e6cfde10

Download Submit
C:\Windows\system\PsKiUkg.exe

Filesize
5.9MB

MD5
9d5a4f9ef8f48c5f1987f8843c60d66e

SHA1
a227dfd6f253852ac4327f9ab224b04c05b66df4

SHA256
21670e298cea13024376d5d400b62fff10cc0ef96f57d0132770c6a95c13681c

SHA512
7c936095aa63c8b9b768004bbefc289a88362eff97f89fd3922c68ae188eb5ccae99c5859c0f57690765a7b50d84966a3750f3f712ff88d91edff32b0ba5c31c

Download Submit
C:\Windows\system\cIyECpM.exe

Filesize
5.9MB

MD5
2631de9e685dc0811266de735242cd6e

SHA1
7ad9f2a4c4693ff73adbd156898489ad00f7444e

SHA256
f9d837e179d6c98400f1715f695af0cabff21b595477bebfe6c07cd2ccb9f92f

SHA512
a316d462f19bbe38313a1f06e2272da8fbd8613c4fef5b4cc6511821c0cc9dfd4f4e9a6b2c17867990b8b58d9c8cd1888f78f65a466edca9fc58bfa9402a3f80

Download Submit
C:\Windows\system\esnSKaR.exe

Filesize
5.9MB

MD5
ae9b471a8bec00be308312a00778298f

SHA1
a0b72555040254b02c9b16b9ee8a72da8cc1b701

SHA256
17726f210ecce51159ef58bb88c51be0a3ac46f9a117ea9d6e8763acac79c42a

SHA512
5ec50ef83874c4e71efae26ee48d9f1625d96b00a1b4e423cb3eef7f7aa7aa56a1926143b7fd1008cb4bd909d7d29d6c36769423c891e7118bb60017f51bbabb

Download Submit
C:\Windows\system\ljWTXfj.exe

Filesize
5.9MB

MD5
8495df2ee09e790eaa9151ec52955117

SHA1
15766d6fed4535defec103edb52223c461b9174b

SHA256
9c85338af644c5a2e0c5d1c1389d165e409acd4d38166537cc73a4fc407bc261

SHA512
4019c84585c30fa6a16b215f6944386bd83bec01b40163db8e0b1a09808110482380999681e0eea3b83833f22c5486c587a26787d6a03f99a6e4e671882ab445

Download Submit
C:\Windows\system\lzjjQBG.exe

Filesize
5.9MB

MD5
5589d1dad3fb1439eab63f0219af388c

SHA1
af792aaefbc2ad8bcf4c80847f7b9262aa6f78d4

SHA256
22822b860486932be5079cbb9ef3882f1168a919f002e3c4852a9d2b3b195b19

SHA512
4e1308104c308ded8ef67286dfa90958ac1ed8f25a0c53cdf80d3aeee3d03222e3c2197a3c3e04eaba224065a8dd71ca334a4a74429910ef7a4c88e3f729f71f

Download Submit
C:\Windows\system\orCqatn.exe

Filesize
5.9MB

MD5
c79a385bc60c2b66ec0b83b79adb5465

SHA1
820fd383d69416de2204356d652ab5c1d5955321

SHA256
44777204271abaff601a42ae4b52c1bc4a8cd81f4ec9fc8a01e945424c0e63e1

SHA512
d7d6fb63cb4ff8d83e6a57b7bac5c98694621e6c7a6ebc5e772e0fabdff1737bead929140809539b55ffbf22b9595d4d99bf3b8264d589f575ab6fdf6ebe879a

Download Submit
C:\Windows\system\psWJsIP.exe

Filesize
5.9MB

MD5
3a862fa89e2a76021e3da38cd437c3ee

SHA1
1c6514d71bb5edbaad09c11fd739d7f51ef7c7bc

SHA256
4b41c7e4ef1afe9494ae2ec3c4983860b4f0138e72430a1cd9e4015159e3143a

SHA512
1914c04b9bdd0f09d2fa955bcaf03db8194fe0eda2a479d5097bb52d6b16e880b7037d2bccbf97ac15248044b0fb7e1e1778f28ae8f5f3bd93d57a759c4457f0

Download Submit
C:\Windows\system\tsZqDdB.exe

Filesize
5.9MB

MD5
bebf86e0ac445134a8e4142efc98371c

SHA1
bdc1d9a2e574ec4d797eecb45047696454940ae6

SHA256
7c4c1740a5af6c97ca58bf4adda55037d3eb5575b325f340eecb98512fafec95

SHA512
1c761788b644f33b3f00358f0e04c981d8a9f9f4c6a06adc7d9a3bea7352d7890c598513496182cac02da130b98c8203d44d9ea1b53d208ee070c0c0c50201aa

Download Submit
C:\Windows\system\xsoBMOH.exe

Filesize
5.9MB

MD5
6090151462135f34b23e45f18847036f

SHA1
a90f77e77b2d0ade3b79a3e271d7c2bd3ea912e5

SHA256
92ec57d393c7196cccd69c18a0b416465a507d445eb2708f85e774412310a89f

SHA512
4dea48201bee5b352ce65523690f57798431c11dd6bb6bad09fbdc9f6100470e8b4ae9dca28e80bd52b1020f7b1a07c0fc55cea2de339f25909e5dd9e62fcb2d

Download Submit
C:\Windows\system\xvBdXBp.exe

Filesize
5.9MB

MD5
f98339196f5c1fa12fff120fffa05c6a

SHA1
c71480ac6b537ad11b76f553abec77abf9b13a2b

SHA256
dd0b2354743dddc9733688bca5156247bb2d4ad0a0f7c3b204b69acef2c81c86

SHA512
89c2b8aa84295d8e6bf15d7e3326c3a4cb17ff94a4f0a81d6a5d3459390edd9145f10ec2084c701167862728dcfa1367fa88f8e470f3d7544970d9d2c2efd7e5

Download Submit
C:\Windows\system\yDADpUE.exe

Filesize
5.9MB

MD5
09bf0758abe1ed0a7e01bd1cb1e104f8

SHA1
183449ce68c10568cc08ce02543d0b6d7541f1da

SHA256
60d915077bfbda3d3946d1739506f0ed4f043e72d331bd0d3a4fef129691a0a7

SHA512
feae8ea10e19d6c9d5c8bbf3ea47acb5c66f4bce5a6731e9f220ccd5de8c31d4f94f5fbee570c6924962792069b6174c0a3f710d742592dc05238e05a0ef203d

Download Submit
C:\Windows\system\yOJQYNV.exe

Filesize
5.9MB

MD5
2424164573a7ebf1451cc12a557a6be2

SHA1
28b13e7bc718c3a628ed16fea75169edda6a2fb7

SHA256
077d69987f429c92c0e0da923ee3873f220e9e57ddc2948d7a7cf3bbdeb21686

SHA512
4d1d639ee4b3322dde04bf9b5ef873b7727192481b7818ce02bfb130e910f8be1211486d35cea55c9084882df0d14c72e602754c0a1f0ede96ab407c82ec9052

Download Submit
\Windows\system\FdZmLdA.exe

Filesize
5.9MB

MD5
fc3d0e17a221b28bee69c53d9d4eca1b

SHA1
b7e40a63408e1a5179b2978a7883983aebc4eee3

SHA256
5a30c4923315f51351a652e97ef0119573ddea5a03510a8edbd1f8e48072da4f

SHA512
807d6b1f38598f84e8a688daa6886fa8460e549025028ec98471836c1e01a2cd57147e2bd5bed3af14eb79bfaec8eb7ff0c3a39a457de9c548bcb15921ab82e1

Download Submit
\Windows\system\YPXiKpW.exe

Filesize
5.9MB

MD5
13911a5b482cece33b5ea964f41eb40d

SHA1
d1739b499e52f77805a3e6f755b9316651709b98

SHA256
e10434872d69dfdb89e2fc56d4f5ac9c6421117cdfd4dbe894b5e0652c9fbded

SHA512
6cef2bd52070edca31d2e457499282e4b6c7466ee814fd073708ae632523425be20b4d9766956e43aabe2ffc7848829c058e03ea7931e7fc00e4ae04a0d36970

Download Submit
\Windows\system\hsoIazQ.exe

Filesize
5.9MB

MD5
235beef97a06af852cfec917d38d771c

SHA1
01db0dff1c616c1465b818f640fb7da90329876c

SHA256
ef470473fae688ad78aee9874f0c357b61175c1e8bf2a7c9852f0c38865d0928

SHA512
89d062c5fb8bf8d8d1932073c300ffb90eee8467c1609a149cc3e46ac9847466eaf61da4c7c966d0a93c37055fc2fbd3cc82c6bc86a20ac4e0c4f29b61370f87

Download Submit
\Windows\system\iRfgMzB.exe

Filesize
5.9MB

MD5
8c302a7cbc93de2219f76d390496be51

SHA1
85c1ae89e99c32f749113426d559dab333f153d8

SHA256
eee7bde20131198c02813027656e472afe914f8fd1b0f12b17d45cce0c44c978

SHA512
a591f7b32869410f9e943a26f0d2e2efcf15c91e63ae98bea1069effcc9c8eb40b3e54615ba955ccd46843d43c860486347c223310bc17ae777d5aed9ebe846b

Download Submit
\Windows\system\qDNaMUa.exe

Filesize
5.9MB

MD5
bcacd81b0dd3c8fdf472654090fec1f8

SHA1
bf96a2ff3befbbd732e444b29aa706003f4536c0

SHA256
ba801b559663016b05052c3b6e74b553bfa32e848c110c5e55a355ad8ff64511

SHA512
e1193082e828d74a5c52480c867a7245a6ab3960cb6e74bbff80916e9b2d0c10354696a26fb8eaeecb4bcdff0073aa327be08ef8f98e55e4e9142f5853d0f316

Download Submit
memory/1280-35-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/1280-139-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2044-14-0x000000013FE80000-0x00000001401D4000-memory.dmp

Filesize
3.3MB

Download
memory/2044-135-0x000000013FE80000-0x00000001401D4000-memory.dmp

Filesize
3.3MB

Download
memory/2044-66-0x000000013FE80000-0x00000001401D4000-memory.dmp

Filesize
3.3MB

Download
memory/2164-144-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2164-91-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2428-143-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2428-84-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2464-147-0x000000013FDA0000-0x00000001400F4000-memory.dmp

Filesize
3.3MB

Download
memory/2464-96-0x000000013FDA0000-0x00000001400F4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-33-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-138-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-82-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2524-142-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2532-89-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2532-145-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2552-136-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2552-20-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2632-22-0x000000013FB30000-0x000000013FE84000-memory.dmp

Filesize
3.3MB

Download
memory/2632-137-0x000000013FB30000-0x000000013FE84000-memory.dmp

Filesize
3.3MB

Download
memory/2688-98-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2688-148-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2724-140-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-46-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-97-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-146-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/2948-141-0x000000013F3B0000-0x000000013F704000-memory.dmp

Filesize
3.3MB

Download
memory/2948-48-0x000000013F3B0000-0x000000013F704000-memory.dmp

Filesize
3.3MB

Download
memory/2964-92-0x00000000023F0000-0x0000000002744000-memory.dmp

Filesize
3.3MB

Download
memory/2964-134-0x00000000023F0000-0x0000000002744000-memory.dmp

Filesize
3.3MB

Download
memory/2964-57-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2964-0-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2964-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2964-85-0x000000013FDA0000-0x00000001400F4000-memory.dmp

Filesize
3.3MB

Download
memory/2964-7-0x000000013FE80000-0x00000001401D4000-memory.dmp

Filesize
3.3MB

Download
memory/2964-90-0x00000000023F0000-0x0000000002744000-memory.dmp

Filesize
3.3MB

Download
memory/2964-103-0x00000000023F0000-0x0000000002744000-memory.dmp

Filesize
3.3MB

Download
memory/2964-18-0x000000013FB30000-0x000000013FE84000-memory.dmp

Filesize
3.3MB

Download
memory/2964-93-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2964-95-0x00000000023F0000-0x0000000002744000-memory.dmp

Filesize
3.3MB

Download
memory/2964-94-0x00000000023F0000-0x0000000002744000-memory.dmp

Filesize
3.3MB

Download
memory/2964-34-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2964-47-0x00000000023F0000-0x0000000002744000-memory.dmp

Filesize
3.3MB

Download