cobaltstrike | 011659e6c926b40e18b2aef593382a6681c1597fcb3ebe4afd6084a14cb14d3f

Analysis

max time kernel
137s
max time network
147s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
04-06-2024 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

947e17fe710720ba9b91c4d81cf92ff1
SHA1

bc786d22c1fc3182e3ff2ba577705ef66ae637e0
SHA256

011659e6c926b40e18b2aef593382a6681c1597fcb3ebe4afd6084a14cb14d3f
SHA512

bc632fcc3b1499e503fae020934f882eed2974ac2d7a1327b852048e3f620ee5195e7dd7f326f0747b8723c7ec01fe96c8aca00caf4381b75002bac4b54fa3a6
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU/:Q+856utgpPF8u/7/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000014323-3.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000149e1-21.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014b10-29.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001480e-19.dat	cobalt_reflective_dll
behavioral1/files/0x0035000000014588-12.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014b36-38.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014dae-41.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015c85-53.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c93-58.dat	cobalt_reflective_dll
behavioral1/files/0x0035000000014662-67.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cce-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cbd-108.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d44-129.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d4c-132.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d24-124.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cf5-114.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cd9-111.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d0c-117.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ce3-105.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015c9c-74.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cb0-78.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b000000014323-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000149e1-21.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014b10-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001480e-19.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0035000000014588-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014b36-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014dae-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015c85-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015c93-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0035000000014662-67.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cce-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cbd-108.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d44-129.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d4c-132.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d24-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cf5-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cd9-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d0c-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ce3-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015c9c-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cb0-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 51 IoCs

resource	yara_rule
behavioral1/memory/1804-0-0x000000013F340000-0x000000013F694000-memory.dmp	UPX
behavioral1/files/0x000b000000014323-3.dat	UPX
behavioral1/memory/2256-9-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/memory/1116-26-0x000000013FE00000-0x0000000140154000-memory.dmp	UPX
behavioral1/files/0x00070000000149e1-21.dat	UPX
behavioral1/memory/2688-34-0x000000013F9D0000-0x000000013FD24000-memory.dmp	UPX
behavioral1/files/0x0007000000014b10-29.dat	UPX
behavioral1/memory/3048-20-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/files/0x000700000001480e-19.dat	UPX
behavioral1/files/0x0035000000014588-12.dat	UPX
behavioral1/files/0x0007000000014b36-38.dat	UPX
behavioral1/files/0x0009000000014dae-41.dat	UPX
behavioral1/memory/2744-48-0x000000013F780000-0x000000013FAD4000-memory.dmp	UPX
behavioral1/memory/2596-49-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	UPX
behavioral1/memory/2656-46-0x000000013FCC0000-0x0000000140014000-memory.dmp	UPX
behavioral1/files/0x0007000000015c85-53.dat	UPX
behavioral1/files/0x0006000000015c93-58.dat	UPX
behavioral1/files/0x0035000000014662-67.dat	UPX
behavioral1/memory/1804-70-0x000000013F340000-0x000000013F694000-memory.dmp	UPX
behavioral1/memory/1116-91-0x000000013FE00000-0x0000000140154000-memory.dmp	UPX
behavioral1/files/0x0006000000015cce-90.dat	UPX
behavioral1/files/0x0006000000015cbd-108.dat	UPX
behavioral1/files/0x0006000000015d44-129.dat	UPX
behavioral1/files/0x0006000000015d4c-132.dat	UPX
behavioral1/files/0x0006000000015d24-124.dat	UPX
behavioral1/files/0x0006000000015cf5-114.dat	UPX
behavioral1/files/0x0006000000015cd9-111.dat	UPX
behavioral1/memory/2940-100-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/files/0x0006000000015d0c-117.dat	UPX
behavioral1/memory/2024-88-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/files/0x0006000000015ce3-105.dat	UPX
behavioral1/files/0x0006000000015c9c-74.dat	UPX
behavioral1/memory/2836-83-0x000000013FF30000-0x0000000140284000-memory.dmp	UPX
behavioral1/memory/2976-82-0x000000013F0F0000-0x000000013F444000-memory.dmp	UPX
behavioral1/files/0x0006000000015cb0-78.dat	UPX
behavioral1/memory/2532-64-0x000000013F730000-0x000000013FA84000-memory.dmp	UPX
behavioral1/memory/3020-57-0x000000013FF00000-0x0000000140254000-memory.dmp	UPX
behavioral1/memory/2940-138-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2256-140-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/memory/3048-141-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/memory/1116-142-0x000000013FE00000-0x0000000140154000-memory.dmp	UPX
behavioral1/memory/2688-143-0x000000013F9D0000-0x000000013FD24000-memory.dmp	UPX
behavioral1/memory/2656-144-0x000000013FCC0000-0x0000000140014000-memory.dmp	UPX
behavioral1/memory/2744-145-0x000000013F780000-0x000000013FAD4000-memory.dmp	UPX
behavioral1/memory/2596-146-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	UPX
behavioral1/memory/3020-147-0x000000013FF00000-0x0000000140254000-memory.dmp	UPX
behavioral1/memory/2532-148-0x000000013F730000-0x000000013FA84000-memory.dmp	UPX
behavioral1/memory/2976-149-0x000000013F0F0000-0x000000013F444000-memory.dmp	UPX
behavioral1/memory/2836-151-0x000000013FF30000-0x0000000140284000-memory.dmp	UPX
behavioral1/memory/2024-150-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/2940-152-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX

XMRig Miner payload 55 IoCs

miner

resource	yara_rule
behavioral1/memory/1804-0-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
behavioral1/files/0x000b000000014323-3.dat	xmrig
behavioral1/memory/2256-9-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/memory/1116-26-0x000000013FE00000-0x0000000140154000-memory.dmp	xmrig
behavioral1/files/0x00070000000149e1-21.dat	xmrig
behavioral1/memory/2688-34-0x000000013F9D0000-0x000000013FD24000-memory.dmp	xmrig
behavioral1/files/0x0007000000014b10-29.dat	xmrig
behavioral1/memory/3048-20-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/files/0x000700000001480e-19.dat	xmrig
behavioral1/files/0x0035000000014588-12.dat	xmrig
behavioral1/files/0x0007000000014b36-38.dat	xmrig
behavioral1/files/0x0009000000014dae-41.dat	xmrig
behavioral1/memory/2744-48-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/memory/2596-49-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/memory/2656-46-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/files/0x0007000000015c85-53.dat	xmrig
behavioral1/files/0x0006000000015c93-58.dat	xmrig
behavioral1/files/0x0035000000014662-67.dat	xmrig
behavioral1/memory/1804-70-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
behavioral1/memory/1116-91-0x000000013FE00000-0x0000000140154000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cce-90.dat	xmrig
behavioral1/files/0x0006000000015cbd-108.dat	xmrig
behavioral1/files/0x0006000000015d44-129.dat	xmrig
behavioral1/files/0x0006000000015d4c-132.dat	xmrig
behavioral1/files/0x0006000000015d24-124.dat	xmrig
behavioral1/files/0x0006000000015cf5-114.dat	xmrig
behavioral1/files/0x0006000000015cd9-111.dat	xmrig
behavioral1/memory/2940-100-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/files/0x0006000000015d0c-117.dat	xmrig
behavioral1/memory/2024-88-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/files/0x0006000000015ce3-105.dat	xmrig
behavioral1/memory/1804-84-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/files/0x0006000000015c9c-74.dat	xmrig
behavioral1/memory/2836-83-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/memory/2976-82-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/memory/1804-79-0x0000000002570000-0x00000000028C4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cb0-78.dat	xmrig
behavioral1/memory/2532-64-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/memory/3020-57-0x000000013FF00000-0x0000000140254000-memory.dmp	xmrig
behavioral1/memory/1804-137-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/memory/2940-138-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/1804-139-0x000000013FED0000-0x0000000140224000-memory.dmp	xmrig
behavioral1/memory/2256-140-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/memory/3048-141-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/1116-142-0x000000013FE00000-0x0000000140154000-memory.dmp	xmrig
behavioral1/memory/2688-143-0x000000013F9D0000-0x000000013FD24000-memory.dmp	xmrig
behavioral1/memory/2656-144-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/memory/2744-145-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/memory/2596-146-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/memory/3020-147-0x000000013FF00000-0x0000000140254000-memory.dmp	xmrig
behavioral1/memory/2532-148-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/memory/2976-149-0x000000013F0F0000-0x000000013F444000-memory.dmp	xmrig
behavioral1/memory/2836-151-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/memory/2024-150-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/2940-152-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2256	lezPnHA.exe
3048	cDcIWSh.exe
1116	LqDXJnC.exe
2688	ZuEkcGf.exe
2656	FhMYgIZ.exe
2744	CSXTFgA.exe
2596	cNAcINR.exe
3020	gNHXagW.exe
2532	envacxU.exe
2976	zbDkAWR.exe
2024	RfkNURP.exe
2836	AnZdkkN.exe
2940	rtkanEL.exe
1668	vFoWjPJ.exe
2848	diWHIrL.exe
1812	NzjMDmB.exe
1432	ixeHdiD.exe
1740	BDGtHCg.exe
2528	abyoCQr.exe
1748	UtIeDaf.exe
312	QQNuPOG.exe

Loads dropped DLL 21 IoCs

pid	Process
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1804-0-0x000000013F340000-0x000000013F694000-memory.dmp	upx
behavioral1/files/0x000b000000014323-3.dat	upx
behavioral1/memory/2256-9-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/memory/1116-26-0x000000013FE00000-0x0000000140154000-memory.dmp	upx
behavioral1/files/0x00070000000149e1-21.dat	upx
behavioral1/memory/2688-34-0x000000013F9D0000-0x000000013FD24000-memory.dmp	upx
behavioral1/files/0x0007000000014b10-29.dat	upx
behavioral1/memory/3048-20-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/files/0x000700000001480e-19.dat	upx
behavioral1/files/0x0035000000014588-12.dat	upx
behavioral1/files/0x0007000000014b36-38.dat	upx
behavioral1/files/0x0009000000014dae-41.dat	upx
behavioral1/memory/2744-48-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/memory/2596-49-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
behavioral1/memory/2656-46-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/files/0x0007000000015c85-53.dat	upx
behavioral1/files/0x0006000000015c93-58.dat	upx
behavioral1/files/0x0035000000014662-67.dat	upx
behavioral1/memory/1804-70-0x000000013F340000-0x000000013F694000-memory.dmp	upx
behavioral1/memory/1116-91-0x000000013FE00000-0x0000000140154000-memory.dmp	upx
behavioral1/files/0x0006000000015cce-90.dat	upx
behavioral1/files/0x0006000000015cbd-108.dat	upx
behavioral1/files/0x0006000000015d44-129.dat	upx
behavioral1/files/0x0006000000015d4c-132.dat	upx
behavioral1/files/0x0006000000015d24-124.dat	upx
behavioral1/files/0x0006000000015cf5-114.dat	upx
behavioral1/files/0x0006000000015cd9-111.dat	upx
behavioral1/memory/2940-100-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/files/0x0006000000015d0c-117.dat	upx
behavioral1/memory/2024-88-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/files/0x0006000000015ce3-105.dat	upx
behavioral1/files/0x0006000000015c9c-74.dat	upx
behavioral1/memory/2836-83-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/memory/2976-82-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/files/0x0006000000015cb0-78.dat	upx
behavioral1/memory/2532-64-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/memory/3020-57-0x000000013FF00000-0x0000000140254000-memory.dmp	upx
behavioral1/memory/2940-138-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2256-140-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/memory/3048-141-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/1116-142-0x000000013FE00000-0x0000000140154000-memory.dmp	upx
behavioral1/memory/2688-143-0x000000013F9D0000-0x000000013FD24000-memory.dmp	upx
behavioral1/memory/2656-144-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/memory/2744-145-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/memory/2596-146-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
behavioral1/memory/3020-147-0x000000013FF00000-0x0000000140254000-memory.dmp	upx
behavioral1/memory/2532-148-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/memory/2976-149-0x000000013F0F0000-0x000000013F444000-memory.dmp	upx
behavioral1/memory/2836-151-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/memory/2024-150-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/2940-152-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\lezPnHA.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LqDXJnC.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FhMYgIZ.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gNHXagW.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AnZdkkN.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rtkanEL.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cDcIWSh.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZuEkcGf.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CSXTFgA.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zbDkAWR.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\diWHIrL.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BDGtHCg.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\abyoCQr.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cNAcINR.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\envacxU.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RfkNURP.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vFoWjPJ.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ixeHdiD.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UtIeDaf.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QQNuPOG.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NzjMDmB.exe	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2256	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	29
PID 1804 wrote to memory of 2256	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	29
PID 1804 wrote to memory of 2256	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	29
PID 1804 wrote to memory of 3048	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	30
PID 1804 wrote to memory of 3048	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	30
PID 1804 wrote to memory of 3048	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	30
PID 1804 wrote to memory of 1116	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	31
PID 1804 wrote to memory of 1116	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	31
PID 1804 wrote to memory of 1116	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	31
PID 1804 wrote to memory of 2656	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	32
PID 1804 wrote to memory of 2656	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	32
PID 1804 wrote to memory of 2656	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	32
PID 1804 wrote to memory of 2688	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	33
PID 1804 wrote to memory of 2688	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	33
PID 1804 wrote to memory of 2688	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	33
PID 1804 wrote to memory of 2744	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	34
PID 1804 wrote to memory of 2744	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	34
PID 1804 wrote to memory of 2744	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	34
PID 1804 wrote to memory of 2596	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	35
PID 1804 wrote to memory of 2596	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	35
PID 1804 wrote to memory of 2596	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	35
PID 1804 wrote to memory of 3020	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	36
PID 1804 wrote to memory of 3020	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	36
PID 1804 wrote to memory of 3020	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	36
PID 1804 wrote to memory of 2532	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	37
PID 1804 wrote to memory of 2532	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	37
PID 1804 wrote to memory of 2532	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	37
PID 1804 wrote to memory of 2976	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	38
PID 1804 wrote to memory of 2976	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	38
PID 1804 wrote to memory of 2976	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	38
PID 1804 wrote to memory of 2024	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	39
PID 1804 wrote to memory of 2024	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	39
PID 1804 wrote to memory of 2024	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	39
PID 1804 wrote to memory of 2836	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	40
PID 1804 wrote to memory of 2836	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	40
PID 1804 wrote to memory of 2836	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	40
PID 1804 wrote to memory of 2848	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	41
PID 1804 wrote to memory of 2848	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	41
PID 1804 wrote to memory of 2848	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	41
PID 1804 wrote to memory of 2940	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	42
PID 1804 wrote to memory of 2940	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	42
PID 1804 wrote to memory of 2940	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	42
PID 1804 wrote to memory of 1812	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	43
PID 1804 wrote to memory of 1812	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	43
PID 1804 wrote to memory of 1812	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	43
PID 1804 wrote to memory of 1668	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	44
PID 1804 wrote to memory of 1668	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	44
PID 1804 wrote to memory of 1668	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	44
PID 1804 wrote to memory of 1432	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	45
PID 1804 wrote to memory of 1432	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	45
PID 1804 wrote to memory of 1432	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	45
PID 1804 wrote to memory of 1740	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	46
PID 1804 wrote to memory of 1740	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	46
PID 1804 wrote to memory of 1740	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	46
PID 1804 wrote to memory of 2528	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	47
PID 1804 wrote to memory of 2528	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	47
PID 1804 wrote to memory of 2528	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	47
PID 1804 wrote to memory of 1748	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	48
PID 1804 wrote to memory of 1748	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	48
PID 1804 wrote to memory of 1748	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	48
PID 1804 wrote to memory of 312	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	49
PID 1804 wrote to memory of 312	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	49
PID 1804 wrote to memory of 312	1804	2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-04_947e17fe710720ba9b91c4d81cf92ff1_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\System\lezPnHA.exe
  C:\Windows\System\lezPnHA.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\cDcIWSh.exe
  C:\Windows\System\cDcIWSh.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\LqDXJnC.exe
  C:\Windows\System\LqDXJnC.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\FhMYgIZ.exe
  C:\Windows\System\FhMYgIZ.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\ZuEkcGf.exe
  C:\Windows\System\ZuEkcGf.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\CSXTFgA.exe
  C:\Windows\System\CSXTFgA.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\cNAcINR.exe
  C:\Windows\System\cNAcINR.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\gNHXagW.exe
  C:\Windows\System\gNHXagW.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\envacxU.exe
  C:\Windows\System\envacxU.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\zbDkAWR.exe
  C:\Windows\System\zbDkAWR.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\RfkNURP.exe
  C:\Windows\System\RfkNURP.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System\AnZdkkN.exe
  C:\Windows\System\AnZdkkN.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\diWHIrL.exe
  C:\Windows\System\diWHIrL.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\rtkanEL.exe
  C:\Windows\System\rtkanEL.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\NzjMDmB.exe
  C:\Windows\System\NzjMDmB.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\vFoWjPJ.exe
  C:\Windows\System\vFoWjPJ.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\ixeHdiD.exe
  C:\Windows\System\ixeHdiD.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\BDGtHCg.exe
  C:\Windows\System\BDGtHCg.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\abyoCQr.exe
  C:\Windows\System\abyoCQr.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\UtIeDaf.exe
  C:\Windows\System\UtIeDaf.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\QQNuPOG.exe
  C:\Windows\System\QQNuPOG.exe
  2⤵
  - Executes dropped EXE
  PID:312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AnZdkkN.exe

Filesize
5.9MB

MD5
45f093b34a361501ed8874871a9bf16a

SHA1
aec25a1df2f6d38a89f0b0335949d112a7970648

SHA256
004b78ac2bc3d04e6a056dddd90045b5a208d1840e341f7fe7177f316ff09b8a

SHA512
37fa000f8f0990bcaf263059e1e51b081a82f7912915910eaa04fed1e073f91a812dcaa22eab171e721500d9ae11889e03e0c9da2043cc18ee9f64d0d1e933f6

Download Submit
C:\Windows\system\BDGtHCg.exe

Filesize
5.9MB

MD5
14cc0ec5f02eaa23a2752b0609cf9490

SHA1
ca6aab07cbc2d74250bbbfc501c8399c72eda112

SHA256
0ccf7a1d956ef2756be7610b95d808d487836bf9055bc5d347befbce5a64be58

SHA512
2f572b1ce46caabc3811476c8ed217071d05b9d7239a862a8051df339b16e8fc1e8bc49bd7b41de35ecf01fac953e5def6080da8e9bf42de05d9940fcaf04248

Download Submit
C:\Windows\system\CSXTFgA.exe

Filesize
5.9MB

MD5
976fc5efb51216c5d84c9df470d1d03e

SHA1
86888bf90e7c9eacc424a081a3f188e809b37e9e

SHA256
f9aa6230081bf0a88276121b456ae96fa4235d3203303883c908914bad71dc7d

SHA512
ef66a93354ffe9fbbd7f9d54d744a9443e966033eeb2255ebf478bfdc78f3378f61de02e9629a2e5303d1e290191db9bba3b00b8e398a136407fcb5233864f2f

Download Submit
C:\Windows\system\LqDXJnC.exe

Filesize
5.9MB

MD5
52936190ddf17539b94c0fd1620ab4d2

SHA1
84d01cfd997acc5d1a77ad5012214cc113f9911f

SHA256
20ab060dacd2ab69b44e5a0856a6e490cdc4ced0602b8b02afc7a2c8dff4dbbd

SHA512
08928436c7e159e19e7af554827fca7be614a295dbf0bc53129dc5f0525c16c09f16c010166f819f732c29f8913c25e3be4424fe77f1595c7023f63ce2317d0f

Download Submit
C:\Windows\system\NzjMDmB.exe

Filesize
5.9MB

MD5
95021a04cc207dcc5aadd4679c1ec177

SHA1
e90a77acf39ddccffefea752d15b84aefe6865b4

SHA256
b7b985a61d998b22bd1c320564368d50ad6e4a35b46f7a202da09cd08a4539c2

SHA512
68dac300c0074254ae97cc96066a45080fe07e10e19688364e7819132a9d8e600d990d341c27f94b7d9ad8c060b3bdc8a2fb737adf978361a756e51b8aa4e694

Download Submit
C:\Windows\system\RfkNURP.exe

Filesize
5.9MB

MD5
1e9c3ee37ed88284b48d0360dfdc63f6

SHA1
a56094d1713090407b7df14164e60e1cb9125a4f

SHA256
a6f9ad057dc33a22df5bc2447e6f68251879a03cf12324b4d4bca189d90941cc

SHA512
9456ee4d6dec1dbc2b771441cc89c2f15c6d0542840719deafea6e1e40ccd064d88b9f733ecf2efae2fd882da775af6729495d89a244fd448acc698dfd271dcd

Download Submit
C:\Windows\system\UtIeDaf.exe

Filesize
5.9MB

MD5
1f60e302e2253feface44fbcd1cd9f05

SHA1
f79c59b9e253b0110dae53f6a9f63dccc7f178c6

SHA256
56209954a6da989f6a698540b90d6064bd243c4f1bb826ba115b6447c09d3651

SHA512
1eb7741cc1d77490178a035e57831d62023df799f8c2ad977f5071ea9fbe4d4722b30a04e1a333ee01698b0cfee48a9dcde455fbe715a8a71779a1514aecce59

Download Submit
C:\Windows\system\ZuEkcGf.exe

Filesize
5.9MB

MD5
0b23c64155e1c94ac2121580a4693ef7

SHA1
8d6aa393fcd27bda075a92890bb1e0e7ef16a856

SHA256
f12fcc19ade20955641ad13701609e1a34f067b60260cab58d74abe7c731123e

SHA512
0f80efa3f3e6b955c6887ffd29b24ee4e57f1537093451a499c0ce780e9c5cdcc99fd08149cd641b602a28cdd8b31d277b0d15cda7233f5bc2ffb7be97d4da68

Download Submit
C:\Windows\system\abyoCQr.exe

Filesize
5.9MB

MD5
2a43d985ecd9fee2376bf5bd0fb12bbe

SHA1
6f159bcaaa4a18ce5ab4493cc178c3bd672bec5a

SHA256
d26737aa3cb35568c6c79bcf367ef5f68c4b10415fa3e9133d4be35bbae8b6b8

SHA512
3a8fdaed4495251482630480e7d3e6efa28ab9042cae375d9ea3d8d53e9661e9d5ed770dd72c9491ee5083b030f8651e7fe878f0ebc6f37d85ec392135c7c577

Download Submit
C:\Windows\system\cDcIWSh.exe

Filesize
5.9MB

MD5
43c9bd4739ccaa6111f3a953ae5d863c

SHA1
7d0347ce00146fea982b4bf8866ba6026239dd30

SHA256
4ae845610b60f240c6070af22ed5599acbc5180129acd8079765f66b74d9e8d7

SHA512
ac7954b5ab6a4ed045f5e43e74f0770a05d1c7334c67810a30a9bb4ea914174c26f274cb996889d31260d54b8be440d5b70373fc7dedb2b12be0c8ad3c1595de

Download Submit
C:\Windows\system\diWHIrL.exe

Filesize
5.9MB

MD5
fb08b733e6068850e2d4f26bf22af0d9

SHA1
97b2b99a400fdfe5c0f6c295b80e574f1472261d

SHA256
7340c181a811a51243f4dfdd691d0ceaac2c58593a2efa78dd845cb8e699c411

SHA512
bec9d593b04021e1e2987cf5fe029957229a8e1c3559a19676bb2d041f61d373f377633f36f6e2d42a26db34157647fed926149a16455b201c3bb5e6b4b9a9c1

Download Submit
C:\Windows\system\gNHXagW.exe

Filesize
5.9MB

MD5
0ac82e4ecf7a84258ba1f5b72ec0430a

SHA1
a0f7d4125f43ade67cb1c31631bbfe241277e35c

SHA256
915f1c03c699e3ce8af211931646767f524ebf047bb2f771d5388ac64623bf5a

SHA512
dd0789b8da8aa1e1ba6e50db5eeb4e877ef648408e96c3b44a774715be4b4a86e5e8f247d0df10decab68af274aa0cabd899f03628acc6186f976e182594354f

Download Submit
C:\Windows\system\ixeHdiD.exe

Filesize
5.9MB

MD5
74a6c71b70d893d576f2ebe617687841

SHA1
764ef08aa74243a5b321b521e54d01d0d12c2852

SHA256
d6cc95c29f2ae7935cb1b2e95bfd0fa6bda1e95562e7018cd5c4fd004d5db2ad

SHA512
d59699bb95095bc95b1fce53197aff3415a2d80376719982150141982885025cbd5dad5b8372ad615a8425ab2f05ebc5eafc1c6f159c01e0cbeddd0ccca32b03

Download Submit
C:\Windows\system\vFoWjPJ.exe

Filesize
5.9MB

MD5
6a324b534fff9219483b5dec5a4af25b

SHA1
40a6ada3eb64d4bc3bc7f950ee83036de9cde5d2

SHA256
d3d59ef523315a227425fd0b40c97afb326e6595b8388f70af0fdb15e4422a45

SHA512
92cbdf6a7d232184104b93d0b7574393818b317d0018b01af490576e4409d3f549fdf7b38882b133f22f640a7ac0b1d310a950f0da6ccb2efb6e97d227bc6123

Download Submit
C:\Windows\system\zbDkAWR.exe

Filesize
5.9MB

MD5
f116627642cdba3276d3622a5bead665

SHA1
9c21ed8647afadee661a7d0e05493dc8df49f5d4

SHA256
bdc72b446df16c51978db2ce0e4497bb12261364c74ef7c988cf8f3435d33747

SHA512
1b470d7fec73f82d01a9dab6b84bb5c70fe625007ec2dc0d9e47744960f92adbadf4e07670a601325a1f062e8bc5ea05d24eb45c3eebd19ee92ea83e9ad428e9

Download Submit
\Windows\system\FhMYgIZ.exe

Filesize
5.9MB

MD5
91ee5ec3f9eb760853788460e1fcc4d3

SHA1
c94e15cd7be4a9de1eba04480ece071db4efd660

SHA256
2c1c096e4edc115ac30683557fe4594ef24c6a3537e3f22932e6de40efe65873

SHA512
791941f6aaba3c0c2a304aab4ed7dc7c7e76ea661666ffe7a59d0a9adff1f8647bd5e541cabe3f0033b4155f0453a47c4470020ed67bb8b33c5511fe81c95603

Download Submit
\Windows\system\QQNuPOG.exe

Filesize
5.9MB

MD5
110ec4f98f72e86e6967884e62589b5f

SHA1
6f89e9f15c78163d4fc1c2830fd92da597a98a22

SHA256
85b57eab2efac0d7d0e44939490a48a50759187c8932fa13a949439f765ffc0a

SHA512
d0ac90ff094d896d6bd784655247b0e2834d829caf9013fbd2c88c2d7204772231246e766a35592d769f664d3df262d8462ee70a27c295e340ff858599114742

Download Submit
\Windows\system\cNAcINR.exe

Filesize
5.9MB

MD5
d88b905c2f19e6c7ae9bdd965b8cf449

SHA1
98dbecc80bdceb58b1d9151bc5a3c1e679b5cfc7

SHA256
5193cc89ddc370dcf320eb2a1b11dfc282fe142483018911e9f358f1d30ea6a1

SHA512
c60d43da98091f8fdc006f78b31dd54c524315f86171e27c7c52eef67699295d5669e2a7e83901c2a8b7663ac4b30cd46335362ee9773b350bce2034488ab0f8

Download Submit
\Windows\system\envacxU.exe

Filesize
5.9MB

MD5
c6d7956138f81181107384d7a20451f2

SHA1
8db18272250907adbb9a0f78de72aae52a94ff2e

SHA256
b4909ebeee8250bb26a16df120976e7c38eac531db26d2dda1439e95659bf82d

SHA512
b37eecb1f27eb8904d98982153021c8407a9cf199f901b77ec71d84680908e96002a180f8ef2d472b0ec1b80730bc0aae0c3e28fd960f7aed1732d3775cef655

Download Submit
\Windows\system\lezPnHA.exe

Filesize
5.9MB

MD5
525e4e7cb123c131cc21b90b2c94204e

SHA1
c536edd7117502dbf592d18c8daf982fd4d3a3f3

SHA256
ff05b314d8a2ff95770d38dae388ec5ce13ab94f53825f63b74faffe1a049da6

SHA512
cb89e43a49f0e59e7c8232a10a939c2a4b5c01b17992430a9d54c5ceef4db8e0fd8f85ba50e57f7056eddfa188f3990c4ca619c95ac570f1a4db1a391daece33

Download Submit
\Windows\system\rtkanEL.exe

Filesize
5.9MB

MD5
2fe190bf92ea8c6f44e78dfd4820a418

SHA1
8865defd402363d24ea6758e73a3967bef46b035

SHA256
489bd0fdf473783fe9cc2680f07a0ac5eca6f66883f73a248b99013761d00188

SHA512
8e80d651e868d3aa781fdc3b8528f37bb2464cbc2f1fcdb7208d213405f7ef973994bd1b35045f55fc2474a70ee6ae3237e6bed55dbf553a5c4d0d20d4935994

Download Submit
memory/1116-142-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/1116-26-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/1116-91-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/1804-136-0x0000000002570000-0x00000000028C4000-memory.dmp

Filesize
3.3MB

Download
memory/1804-79-0x0000000002570000-0x00000000028C4000-memory.dmp

Filesize
3.3MB

Download
memory/1804-70-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/1804-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1804-47-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/1804-50-0x0000000002570000-0x00000000028C4000-memory.dmp

Filesize
3.3MB

Download
memory/1804-139-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/1804-137-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/1804-15-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/1804-0-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/1804-31-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/1804-63-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/1804-99-0x0000000002570000-0x00000000028C4000-memory.dmp

Filesize
3.3MB

Download
memory/1804-98-0x0000000002570000-0x00000000028C4000-memory.dmp

Filesize
3.3MB

Download
memory/1804-32-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/1804-89-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/1804-8-0x0000000002570000-0x00000000028C4000-memory.dmp

Filesize
3.3MB

Download
memory/1804-106-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/1804-56-0x000000013FF00000-0x0000000140254000-memory.dmp

Filesize
3.3MB

Download
memory/1804-84-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2024-150-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2024-88-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2256-140-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2256-9-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2532-148-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/2532-64-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/2596-146-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-49-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-144-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2656-46-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2688-143-0x000000013F9D0000-0x000000013FD24000-memory.dmp

Filesize
3.3MB

Download
memory/2688-34-0x000000013F9D0000-0x000000013FD24000-memory.dmp

Filesize
3.3MB

Download
memory/2744-145-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2744-48-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2836-151-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2836-83-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2940-138-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2940-100-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2940-152-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2976-82-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/2976-149-0x000000013F0F0000-0x000000013F444000-memory.dmp

Filesize
3.3MB

Download
memory/3020-57-0x000000013FF00000-0x0000000140254000-memory.dmp

Filesize
3.3MB

Download
memory/3020-147-0x000000013FF00000-0x0000000140254000-memory.dmp

Filesize
3.3MB

Download
memory/3048-141-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/3048-20-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download