cobaltstrike | 0f04e8c9f78b60649491b089bd3518bed98fc2cd9c0f61b83b9de32411d3726b

Analysis

max time kernel
140s
max time network
143s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

0f933a019dbd6d700171506c1605310e
SHA1

fae7ae0aa5761b6c60ee3eeace34b948a0d79cd1
SHA256

0f04e8c9f78b60649491b089bd3518bed98fc2cd9c0f61b83b9de32411d3726b
SHA512

65de83ccf7ac80c3fda0796556b8efe9106291efad1bd3b5f8acb0677729af9ad880b3767bf91b4cefc458b22ab6da661b2e81c22f748ec606b7b3ef41d001f7
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l2:RWWBibf56utgpPFotBER/mQ32lUy

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c000000015cce-3.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000160cc-13.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015fa7-18.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000161b3-23.dat	cobalt_reflective_dll
behavioral1/files/0x002a000000015d4c-9.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d1f-47.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173e5-89.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016fe8-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016db3-72.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d9f-64.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d36-54.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001744c-101.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000165f0-99.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001739d-97.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016e78-95.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016da4-94.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3a-70.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d32-63.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d16-62.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000162c9-61.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001654a-41.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000c000000015cce-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000160cc-13.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015fa7-18.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000161b3-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002a000000015d4c-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d1f-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000173e5-89.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016fe8-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016db3-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d9f-64.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d36-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001744c-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000165f0-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001739d-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016e78-95.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016da4-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d3a-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d32-63.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d16-62.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000162c9-61.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000900000001654a-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 56 IoCs

resource	yara_rule
behavioral1/memory/384-0-0x000000013FE50000-0x00000001401A1000-memory.dmp	UPX
behavioral1/files/0x000c000000015cce-3.dat	UPX
behavioral1/files/0x00070000000160cc-13.dat	UPX
behavioral1/files/0x0007000000015fa7-18.dat	UPX
behavioral1/files/0x00070000000161b3-23.dat	UPX
behavioral1/files/0x002a000000015d4c-9.dat	UPX
behavioral1/memory/1856-116-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	UPX
behavioral1/files/0x0006000000016d1f-47.dat	UPX
behavioral1/files/0x00060000000173e5-89.dat	UPX
behavioral1/memory/2176-85-0x000000013F2E0000-0x000000013F631000-memory.dmp	UPX
behavioral1/files/0x0006000000016fe8-82.dat	UPX
behavioral1/files/0x0006000000016db3-72.dat	UPX
behavioral1/files/0x0006000000016d9f-64.dat	UPX
behavioral1/files/0x0006000000016d36-54.dat	UPX
behavioral1/memory/2448-114-0x000000013FB90000-0x000000013FEE1000-memory.dmp	UPX
behavioral1/memory/2616-110-0x000000013FF00000-0x0000000140251000-memory.dmp	UPX
behavioral1/memory/2704-109-0x000000013FAC0000-0x000000013FE11000-memory.dmp	UPX
behavioral1/memory/2652-108-0x000000013FD00000-0x0000000140051000-memory.dmp	UPX
behavioral1/memory/2324-104-0x000000013FCC0000-0x0000000140011000-memory.dmp	UPX
behavioral1/files/0x000600000001744c-101.dat	UPX
behavioral1/files/0x00070000000165f0-99.dat	UPX
behavioral1/files/0x000600000001739d-97.dat	UPX
behavioral1/files/0x0006000000016e78-95.dat	UPX
behavioral1/files/0x0006000000016da4-94.dat	UPX
behavioral1/memory/1948-43-0x000000013F540000-0x000000013F891000-memory.dmp	UPX
behavioral1/memory/2556-81-0x000000013F580000-0x000000013F8D1000-memory.dmp	UPX
behavioral1/files/0x0006000000016d3a-70.dat	UPX
behavioral1/files/0x0006000000016d32-63.dat	UPX
behavioral1/files/0x0006000000016d16-62.dat	UPX
behavioral1/files/0x00070000000162c9-61.dat	UPX
behavioral1/files/0x000900000001654a-41.dat	UPX
behavioral1/memory/1708-33-0x000000013FC40000-0x000000013FF91000-memory.dmp	UPX
behavioral1/memory/384-131-0x000000013FE50000-0x00000001401A1000-memory.dmp	UPX
behavioral1/memory/2784-141-0x000000013FA90000-0x000000013FDE1000-memory.dmp	UPX
behavioral1/memory/2956-146-0x000000013F860000-0x000000013FBB1000-memory.dmp	UPX
behavioral1/memory/2440-152-0x000000013F880000-0x000000013FBD1000-memory.dmp	UPX
behavioral1/memory/2944-151-0x000000013F730000-0x000000013FA81000-memory.dmp	UPX
behavioral1/memory/2836-149-0x000000013F190000-0x000000013F4E1000-memory.dmp	UPX
behavioral1/memory/2208-148-0x000000013F030000-0x000000013F381000-memory.dmp	UPX
behavioral1/memory/2124-147-0x000000013FE80000-0x00000001401D1000-memory.dmp	UPX
behavioral1/memory/2528-145-0x000000013F540000-0x000000013F891000-memory.dmp	UPX
behavioral1/memory/2508-143-0x000000013F590000-0x000000013F8E1000-memory.dmp	UPX
behavioral1/memory/2612-139-0x000000013FA10000-0x000000013FD61000-memory.dmp	UPX
behavioral1/memory/2980-150-0x000000013FD90000-0x00000001400E1000-memory.dmp	UPX
behavioral1/memory/384-153-0x000000013FE50000-0x00000001401A1000-memory.dmp	UPX
behavioral1/memory/384-154-0x000000013FE50000-0x00000001401A1000-memory.dmp	UPX
behavioral1/memory/1708-202-0x000000013FC40000-0x000000013FF91000-memory.dmp	UPX
behavioral1/memory/1856-201-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	UPX
behavioral1/memory/1948-204-0x000000013F540000-0x000000013F891000-memory.dmp	UPX
behavioral1/memory/2556-206-0x000000013F580000-0x000000013F8D1000-memory.dmp	UPX
behavioral1/memory/2176-208-0x000000013F2E0000-0x000000013F631000-memory.dmp	UPX
behavioral1/memory/2324-210-0x000000013FCC0000-0x0000000140011000-memory.dmp	UPX
behavioral1/memory/2616-212-0x000000013FF00000-0x0000000140251000-memory.dmp	UPX
behavioral1/memory/2652-221-0x000000013FD00000-0x0000000140051000-memory.dmp	UPX
behavioral1/memory/2704-231-0x000000013FAC0000-0x000000013FE11000-memory.dmp	UPX
behavioral1/memory/2448-235-0x000000013FB90000-0x000000013FEE1000-memory.dmp	UPX

XMRig Miner payload 34 IoCs

miner

resource	yara_rule
behavioral1/memory/1856-116-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	xmrig
behavioral1/memory/2176-85-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/2448-114-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig
behavioral1/memory/2616-110-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/2704-109-0x000000013FAC0000-0x000000013FE11000-memory.dmp	xmrig
behavioral1/memory/2652-108-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/2324-104-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/1948-43-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2556-81-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/1708-33-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/384-131-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/2784-141-0x000000013FA90000-0x000000013FDE1000-memory.dmp	xmrig
behavioral1/memory/2956-146-0x000000013F860000-0x000000013FBB1000-memory.dmp	xmrig
behavioral1/memory/2440-152-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/2944-151-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/2836-149-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/2208-148-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/2124-147-0x000000013FE80000-0x00000001401D1000-memory.dmp	xmrig
behavioral1/memory/2528-145-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2508-143-0x000000013F590000-0x000000013F8E1000-memory.dmp	xmrig
behavioral1/memory/2612-139-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/2980-150-0x000000013FD90000-0x00000001400E1000-memory.dmp	xmrig
behavioral1/memory/384-153-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/384-154-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/1708-202-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/1856-201-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	xmrig
behavioral1/memory/1948-204-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2556-206-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2176-208-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/2324-210-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2616-212-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/2652-221-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/2704-231-0x000000013FAC0000-0x000000013FE11000-memory.dmp	xmrig
behavioral1/memory/2448-235-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1856	taywOEu.exe
1708	XLHIuxv.exe
1948	XrOIBnq.exe
2556	mpzfgYG.exe
2176	twRlrQS.exe
2324	RssdCEd.exe
2652	GltWjnH.exe
2704	YxXcyPu.exe
2616	GRZiBEV.exe
2448	WofIZeE.exe
2956	SnUZmaK.exe
2208	ItEYTPZ.exe
2980	ynWGFPi.exe
2612	DYuUGSz.exe
2440	ZeQvmLp.exe
2784	suXibPn.exe
2508	CLpmllq.exe
2528	vIAvbrx.exe
2124	QCrcLTd.exe
2836	LJWefHo.exe
2944	iEtOyqm.exe

Loads dropped DLL 21 IoCs

pid	Process
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/384-0-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
behavioral1/files/0x000c000000015cce-3.dat	upx
behavioral1/files/0x00070000000160cc-13.dat	upx
behavioral1/files/0x0007000000015fa7-18.dat	upx
behavioral1/files/0x00070000000161b3-23.dat	upx
behavioral1/files/0x002a000000015d4c-9.dat	upx
behavioral1/memory/1856-116-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	upx
behavioral1/files/0x0006000000016d1f-47.dat	upx
behavioral1/files/0x00060000000173e5-89.dat	upx
behavioral1/memory/2176-85-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/files/0x0006000000016fe8-82.dat	upx
behavioral1/files/0x0006000000016db3-72.dat	upx
behavioral1/files/0x0006000000016d9f-64.dat	upx
behavioral1/files/0x0006000000016d36-54.dat	upx
behavioral1/memory/2448-114-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/memory/2616-110-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/2704-109-0x000000013FAC0000-0x000000013FE11000-memory.dmp	upx
behavioral1/memory/2652-108-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/2324-104-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/files/0x000600000001744c-101.dat	upx
behavioral1/files/0x00070000000165f0-99.dat	upx
behavioral1/files/0x000600000001739d-97.dat	upx
behavioral1/files/0x0006000000016e78-95.dat	upx
behavioral1/files/0x0006000000016da4-94.dat	upx
behavioral1/memory/1948-43-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/2556-81-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/files/0x0006000000016d3a-70.dat	upx
behavioral1/files/0x0006000000016d32-63.dat	upx
behavioral1/files/0x0006000000016d16-62.dat	upx
behavioral1/files/0x00070000000162c9-61.dat	upx
behavioral1/files/0x000900000001654a-41.dat	upx
behavioral1/memory/1708-33-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
behavioral1/memory/384-131-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
behavioral1/memory/2784-141-0x000000013FA90000-0x000000013FDE1000-memory.dmp	upx
behavioral1/memory/2956-146-0x000000013F860000-0x000000013FBB1000-memory.dmp	upx
behavioral1/memory/2440-152-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/memory/2944-151-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/2836-149-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/2208-148-0x000000013F030000-0x000000013F381000-memory.dmp	upx
behavioral1/memory/2124-147-0x000000013FE80000-0x00000001401D1000-memory.dmp	upx
behavioral1/memory/2528-145-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/2508-143-0x000000013F590000-0x000000013F8E1000-memory.dmp	upx
behavioral1/memory/2612-139-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/memory/2980-150-0x000000013FD90000-0x00000001400E1000-memory.dmp	upx
behavioral1/memory/384-153-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
behavioral1/memory/384-154-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
behavioral1/memory/1708-202-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
behavioral1/memory/1856-201-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	upx
behavioral1/memory/1948-204-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/2556-206-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2176-208-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/2324-210-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/2616-212-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/2652-221-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/2704-231-0x000000013FAC0000-0x000000013FE11000-memory.dmp	upx
behavioral1/memory/2448-235-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\suXibPn.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ynWGFPi.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WofIZeE.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ItEYTPZ.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iEtOyqm.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZeQvmLp.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QCrcLTd.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XrOIBnq.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GltWjnH.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RssdCEd.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DYuUGSz.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GRZiBEV.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SnUZmaK.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vIAvbrx.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LJWefHo.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\taywOEu.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XLHIuxv.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\twRlrQS.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mpzfgYG.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YxXcyPu.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CLpmllq.exe	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 1856	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	29
PID 384 wrote to memory of 1856	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	29
PID 384 wrote to memory of 1856	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	29
PID 384 wrote to memory of 1708	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	30
PID 384 wrote to memory of 1708	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	30
PID 384 wrote to memory of 1708	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	30
PID 384 wrote to memory of 1948	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	31
PID 384 wrote to memory of 1948	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	31
PID 384 wrote to memory of 1948	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	31
PID 384 wrote to memory of 2176	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	32
PID 384 wrote to memory of 2176	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	32
PID 384 wrote to memory of 2176	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	32
PID 384 wrote to memory of 2556	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	33
PID 384 wrote to memory of 2556	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	33
PID 384 wrote to memory of 2556	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	33
PID 384 wrote to memory of 2652	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	34
PID 384 wrote to memory of 2652	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	34
PID 384 wrote to memory of 2652	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	34
PID 384 wrote to memory of 2324	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	35
PID 384 wrote to memory of 2324	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	35
PID 384 wrote to memory of 2324	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	35
PID 384 wrote to memory of 2612	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	36
PID 384 wrote to memory of 2612	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	36
PID 384 wrote to memory of 2612	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	36
PID 384 wrote to memory of 2704	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	37
PID 384 wrote to memory of 2704	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	37
PID 384 wrote to memory of 2704	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	37
PID 384 wrote to memory of 2784	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	38
PID 384 wrote to memory of 2784	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	38
PID 384 wrote to memory of 2784	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	38
PID 384 wrote to memory of 2616	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	39
PID 384 wrote to memory of 2616	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	39
PID 384 wrote to memory of 2616	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	39
PID 384 wrote to memory of 2508	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	40
PID 384 wrote to memory of 2508	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	40
PID 384 wrote to memory of 2508	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	40
PID 384 wrote to memory of 2448	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	41
PID 384 wrote to memory of 2448	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	41
PID 384 wrote to memory of 2448	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	41
PID 384 wrote to memory of 2528	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	42
PID 384 wrote to memory of 2528	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	42
PID 384 wrote to memory of 2528	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	42
PID 384 wrote to memory of 2956	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	43
PID 384 wrote to memory of 2956	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	43
PID 384 wrote to memory of 2956	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	43
PID 384 wrote to memory of 2124	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	44
PID 384 wrote to memory of 2124	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	44
PID 384 wrote to memory of 2124	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	44
PID 384 wrote to memory of 2208	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	45
PID 384 wrote to memory of 2208	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	45
PID 384 wrote to memory of 2208	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	45
PID 384 wrote to memory of 2836	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	46
PID 384 wrote to memory of 2836	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	46
PID 384 wrote to memory of 2836	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	46
PID 384 wrote to memory of 2980	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	47
PID 384 wrote to memory of 2980	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	47
PID 384 wrote to memory of 2980	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	47
PID 384 wrote to memory of 2944	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	48
PID 384 wrote to memory of 2944	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	48
PID 384 wrote to memory of 2944	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	48
PID 384 wrote to memory of 2440	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	49
PID 384 wrote to memory of 2440	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	49
PID 384 wrote to memory of 2440	384	2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_0f933a019dbd6d700171506c1605310e_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\System\taywOEu.exe
  C:\Windows\System\taywOEu.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System\XLHIuxv.exe
  C:\Windows\System\XLHIuxv.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\XrOIBnq.exe
  C:\Windows\System\XrOIBnq.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\twRlrQS.exe
  C:\Windows\System\twRlrQS.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\mpzfgYG.exe
  C:\Windows\System\mpzfgYG.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\GltWjnH.exe
  C:\Windows\System\GltWjnH.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\RssdCEd.exe
  C:\Windows\System\RssdCEd.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\DYuUGSz.exe
  C:\Windows\System\DYuUGSz.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\YxXcyPu.exe
  C:\Windows\System\YxXcyPu.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\suXibPn.exe
  C:\Windows\System\suXibPn.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\GRZiBEV.exe
  C:\Windows\System\GRZiBEV.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\CLpmllq.exe
  C:\Windows\System\CLpmllq.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\WofIZeE.exe
  C:\Windows\System\WofIZeE.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\vIAvbrx.exe
  C:\Windows\System\vIAvbrx.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\SnUZmaK.exe
  C:\Windows\System\SnUZmaK.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\QCrcLTd.exe
  C:\Windows\System\QCrcLTd.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System\ItEYTPZ.exe
  C:\Windows\System\ItEYTPZ.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System\LJWefHo.exe
  C:\Windows\System\LJWefHo.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\ynWGFPi.exe
  C:\Windows\System\ynWGFPi.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\iEtOyqm.exe
  C:\Windows\System\iEtOyqm.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\ZeQvmLp.exe
  C:\Windows\System\ZeQvmLp.exe
  2⤵
  - Executes dropped EXE
  PID:2440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DYuUGSz.exe

Filesize
5.2MB

MD5
a105beda8470c14c1540d8da3482eb36

SHA1
5b941d5df41f30aeb3230184cc7da027980cb2ef

SHA256
7f1091982dae827efaf9b71a45afac9a6c4953e60c7e7c8a1fa2147a424e1dd4

SHA512
bdd5ae50e72ceba00a636f6806ae3aa10501655b69dc635372876fdfa29d510f84a856636e2ad696923b20cb4f3213e6771c7cf217a447272eed7a15ad767976

Download Submit
C:\Windows\system\GRZiBEV.exe

Filesize
5.2MB

MD5
e3dfbeea373367b3f874a0d75fe35910

SHA1
accababf03e0565dbf2b34ed4a1693dbb6a47fa9

SHA256
1b0b98b1ddf3269cf150c337cb317bda16e33cafe53f33a820ebaa386c4e8bc7

SHA512
92a6018bf808b8fbf1b18bac7a5d4dc504fdcfcddbd72585a870f20964e5da652a857b039bb46a9edc061e54e4d42edc66eaf993e9de61d87fb5a9f4a9b6ce32

Download Submit
C:\Windows\system\GltWjnH.exe

Filesize
5.2MB

MD5
6d36c638fdc654644f9ebd9aefd5f937

SHA1
7591989a996bbbe6a01b17ca742302365a0c2773

SHA256
f7580bd76e1b025f88b51409ab11efe96ea6ee41d431f9cf1a364e1795fceb57

SHA512
16dd9baac5052379ed294b2be5f45ef70018a98093c0a5041b7e5899f73240d5510bd5d598af6578211da1b0592e2991ffa6dc48e4a5545f38d9bca9da0d83a1

Download Submit
C:\Windows\system\ItEYTPZ.exe

Filesize
5.2MB

MD5
f447bfdecdc57737dd43f3d6fa8a41aa

SHA1
1d494f2e7f5e0ec71a9e29c34d0d3132835dae73

SHA256
46e635cff31e79d94171dae44f0111a8dce47a37d168e15264f7d85da2698438

SHA512
8edc85fd5aa9ca1c85f4eed6c1b5526ad47d9e22375a50a6ac9025f21c87f342283f7a98321377d0b6686b13512c60ce0bb681b2ea250f4432c71caa10f24f66

Download Submit
C:\Windows\system\RssdCEd.exe

Filesize
5.2MB

MD5
9fab863016b590fe8442062de3fc4004

SHA1
ec675e4ca734871ef123ae46afeb5ae551281e31

SHA256
125d506e40a095404c306def8d893f07ed15ed7e49d5dfa3bd4828f4f43a4e79

SHA512
3cdbd6c2567c01c20d0fcdbb6dfd7ed0227a5a3f8fa72ad4927fb2d3f53045249bcca7d1484beb44a655268347ea8be7b28d8797e39b760d337be2b70f957c66

Download Submit
C:\Windows\system\SnUZmaK.exe

Filesize
5.2MB

MD5
4c72d554b04b5fba0b272a6deaa8c4d8

SHA1
cef96b3d5a3bf862efacdd60f58e133bea0fe3fd

SHA256
d2da3579edd8977a183b54d8f10a20dabbdce950364cac71a08ae2e96bc6456a

SHA512
37d0c32bc02a36cd7258d7952d46cfb5dd2cbe9a87c88dc9d8a60f1e1a5f7290034340957cb615956408252b6ccf30f232ebbaa707a704257cf321bb7efb5817

Download Submit
C:\Windows\system\WofIZeE.exe

Filesize
5.2MB

MD5
1d1cb64ebc13e096f990b6610938b894

SHA1
99502af78bae713b2bc3ec5bbc04cb66f86c01d8

SHA256
a9eb4feb62b3f1b957791543f225340dcd83d147082fbb4733901b1c754ee28b

SHA512
21ddac2ce7717f6be126ba81b8aa9dad886fb945204c741355a10428a4c1a092368ca97429a594ab4112cdc11315ee635ece2c5a33afe427c028f7bb03a466b0

Download Submit
C:\Windows\system\XLHIuxv.exe

Filesize
5.2MB

MD5
1c2922ecfebd8128fa4430f76434a69b

SHA1
aa7cf51dc92f1e21d6cc57e02b9b621ae1cb2295

SHA256
71ffa375e7b5ac6035da609f87244abbb70121f6d99cb5980250a530ef0f3352

SHA512
874c826188f739d8c9edd0c3fda637d1112a0cf126afa18133daf6304265f2392c6bdc82e94b93601ab2d9a77fcd45ba61db235fe349a0f735f8ae2c54b6ffb1

Download Submit
C:\Windows\system\XrOIBnq.exe

Filesize
5.2MB

MD5
f87a1f0a7767b95f9d9928edb2e43d77

SHA1
490a12779b074f5f5e91bd6194383b86927551ee

SHA256
daf9a30d9bbcbeae8e6a1b7c4db92c1b6fb23a428321747d682be72070da3d02

SHA512
c787be9601f15023648129eceaaf9bc82fe84de88fa502aedea940f97fa959112e8876a99bc5d5f3ca6f6b32cb7c74bff9d64e2af34595e817f87fe2859b6997

Download Submit
C:\Windows\system\YxXcyPu.exe

Filesize
5.2MB

MD5
530a8f98782864d618312b50899a61d1

SHA1
f8a0aefef66a1ee0e2825229f2cea9df18ca8d6a

SHA256
6d2a9e2aee7cebfb757b6a2feaf70b936b35bd0793b971937a4f3d9a0d6f48a5

SHA512
c6c0fb0cd8a7932230f329556864c616c428633050ded528c9c6320928f8e43e00f7a3186f7767f823d379e96db870686ad24f1430dfcd6a989fa1d07410acbb

Download Submit
C:\Windows\system\ZeQvmLp.exe

Filesize
5.2MB

MD5
d95a74e4c71875eba75ccb58b1e82ecc

SHA1
337ca104d7168b61c474b4392e7c634c61a27035

SHA256
aae96575ebd10eb4fbcda6ac658caf3b8471c87d32645318d2109efd837d8027

SHA512
a3e974efef65038e39c7ce118a6b142539876ff76f6c1e4a4ee71806a8abd750c8efe9d4e93ed6b0ab2eda5c667b33f09d6062449b2cc62d315f31bb71e2474c

Download Submit
C:\Windows\system\mpzfgYG.exe

Filesize
5.2MB

MD5
465ff5a9196068c62c14fff7b4d5a41b

SHA1
e5605152015127c9d58a25450dafb514ec02b98d

SHA256
8f6075ce6a9b94457a4f6b7a01e24abcf992a232c865b8afb85302b70b2ffa09

SHA512
e6baad5f3c130f8c487e4f3dc1c578e6eaac11f53684b6a6242b9b7abd14fe32bb54f8b70bc5d2ac2114dd0452a1cc225ed8996c47e579dd1677214d7e1fb9e5

Download Submit
C:\Windows\system\twRlrQS.exe

Filesize
5.2MB

MD5
6e2ea008b28f71c0fee561c98e46db9f

SHA1
073c1173c0608055f67c15febbd7f45764bd2556

SHA256
856d470c62d73039fb91e3845c1dde77fe06e62a720c425b6a951362828b5010

SHA512
b956c86a36ba00d30515b1cc7aa2833eb4ba8380723b1c621c825ef99668aba1292be4db08119ae1acf6dd3cce9b834c433247408bf3dbadba30eb25d34c26d9

Download Submit
C:\Windows\system\ynWGFPi.exe

Filesize
5.2MB

MD5
f786eb1a984294c5cec3bb54dcd333be

SHA1
9435fab06594e888e1c6941880e9b859b81d9cfb

SHA256
d78b7b5b54d184f3d584bd19d5426383d49bfaed83dca647a1288e3f691e2855

SHA512
76b94330d72ce4185b1de302a7298d789974aea60dc9461129564050fd4185cffa43725faf854f56e71792eb045cbf03eff7a7ce0144e5364a2306b6746529a2

Download Submit
\Windows\system\CLpmllq.exe

Filesize
5.2MB

MD5
c2c307daa9ec1917cfb97491f178b678

SHA1
3491cd3d3ca51abe800e88cc547549c149774532

SHA256
9e081239522c1bcc5c1caef02a425ad521c6b207d29da8577658e85e6176ede4

SHA512
e9d4383881be8033b44fb3695e01f4208e5a2113a25b2bfdf9f549d29c56e4da88ebe09695dc0562af2cd2d2ad4313ce8f86a98b9f282084a9c8cd5083f4aecd

Download Submit
\Windows\system\LJWefHo.exe

Filesize
5.2MB

MD5
c0d1a25163d1a946c3f261cd04e13de0

SHA1
37eb546df23563abbe18e2315fb550f794dddcf3

SHA256
3a4b931dc95e06c3c446cff4e2e77f8e9addd026cb2e61e0cd8b3b845320d397

SHA512
2d5a6fa385be9cc2275ea31fee619bade6201dc06e1479b2c39b1d080534b1ca26bee6fb6feac145ce9cebde3de306d3d756f21adadcb5a8d11763d14100fd44

Download Submit
\Windows\system\QCrcLTd.exe

Filesize
5.2MB

MD5
f2d090362b57ce6e5fb2c2ebf04fcf9f

SHA1
ee919508ac44774aad696b570f784652c6047fb9

SHA256
176bdb562cf3be4bd3cb58f9268cb469e3fc9cb3b0b13762a90e0d86a7fd43db

SHA512
424f45d63245f201e36a755127a7cc42054d146ec7dd52e3b39273ce71f78a8122e08ade0b8cdf99ac68c4381f431daf76fb06ec1994f9e15828e7b53d00862b

Download Submit
\Windows\system\iEtOyqm.exe

Filesize
5.2MB

MD5
1df2cc6204822a816f92fc8808e62e1c

SHA1
19210170d3e4b8e2e23f7826dc3343951b030381

SHA256
d179a3d3ed9dfa348f156c8efd02b5f10981edc1a15994ab72858c5c7686485c

SHA512
e0a0bfa2ba79ae2b5905e8345b9e2a291e728ca114ebe216fbe4d3f2870ffb2daedb0b6b3e4a4019da6e6456710aee37ed04059feae514941251425996a8b7c6

Download Submit
\Windows\system\suXibPn.exe

Filesize
5.2MB

MD5
568067c4191924986d96c68fcc4dfb6f

SHA1
b400bb058f59520c385315926c4af947c72ff892

SHA256
71cafdb5c8b556d95ce6d1b077af716aedfcbb4ccc47a559374f39142e34bcb1

SHA512
006b5c18aaf4b27e9d7b11f4231ed07d8e43e6c38534053faa0efde7ea3e3e829c773ec732b27c9e88df2cdd3900179fc405e1a905fc867e44e11cdd69187176

Download Submit
\Windows\system\taywOEu.exe

Filesize
5.2MB

MD5
0c0a1c0fa844c3c23724781c66355e06

SHA1
9add278bfdb3b97d66fca0598a00da30d2449df1

SHA256
0eab97fe9c32d86cbbbd9a017c00329a00136a20e703c73cdef0d73019ddb42a

SHA512
85e127d1f4233187faac18752dccdc7266ca9d0c720889df259b25a7c880f4b8aa220d7977be3613cbb6db633438463d36073efe2a27a3277e275ec4168e7992

Download Submit
\Windows\system\vIAvbrx.exe

Filesize
5.2MB

MD5
6964ee06af62c4fcaae10ec9d0ceea3a

SHA1
f8537fb08110dff27804822e35e219c945981e1b

SHA256
3724c65534e44afa14b9e65124bc72fdd6031a6acd6fd2581026255b29b4f5fe

SHA512
5eb330bff82e8b565c55b50188dda5c2cdb2e34b56d63d72ed697c3d078cb4ca98b1c86c38f4599826ab4bfd5b61b67f7343c75cee5b67b78999e4280ca85eca

Download Submit
memory/384-119-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/384-131-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/384-112-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/384-111-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/384-176-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/384-154-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/384-153-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/384-107-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/384-106-0x0000000002270000-0x00000000025C1000-memory.dmp

Filesize
3.3MB

Download
memory/384-105-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/384-38-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/384-115-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/384-117-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/384-118-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/384-0-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/384-57-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/384-34-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/384-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/384-28-0x0000000002270000-0x00000000025C1000-memory.dmp

Filesize
3.3MB

Download
memory/384-27-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-202-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/1708-33-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/1856-116-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/1856-201-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/1948-43-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/1948-204-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2124-147-0x000000013FE80000-0x00000001401D1000-memory.dmp

Filesize
3.3MB

Download
memory/2176-208-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2176-85-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2208-148-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/2324-210-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2324-104-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2440-152-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-114-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-235-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2508-143-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2528-145-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2556-81-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2556-206-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2612-139-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/2616-212-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2616-110-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2652-108-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2652-221-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2704-109-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/2704-231-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/2784-141-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2836-149-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2944-151-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2956-146-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-150-0x000000013FD90000-0x00000001400E1000-memory.dmp

Filesize
3.3MB

Download