cobaltstrike | 8f899723822603bde6c11d8651a4aa86ee02271642de842871e50a7b5302a3de

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

4d1bdec09a8a0e958c35440e431477af
SHA1

14a403d2ddc38de45daccc4436227a80f81f6f65
SHA256

8f899723822603bde6c11d8651a4aa86ee02271642de842871e50a7b5302a3de
SHA512

02d464ec0699b24fdabe84686a4ea5ea60143fd8b5f510b0f5dc195c8da2e1985018f3d18d68d165580369d4fe7cdbf846c2844d857afce1db32dbaf3eeaddd9
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUH:Q+856utgpPF8u/7H

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0009000000016d24-6.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d84-8.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000017090-19.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001868c-26.dat	cobalt_reflective_dll
behavioral1/files/0x00020000000180e5-32.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018ae8-46.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b33-58.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b42-67.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b6a-73.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018ae2-117.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b73-125.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000192c9-129.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018d06-99.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018ba2-89.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b4a-70.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b37-59.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b15-49.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018698-34.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000192f4-104.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b96-87.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186a0-39.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016d24-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000016d84-8.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000017090-19.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000500000001868c-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00020000000180e5-32.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018ae8-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b33-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b42-67.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b6a-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018ae2-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b73-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00050000000192c9-129.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018d06-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018ba2-89.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b4a-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b37-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b15-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0005000000018698-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00050000000192f4-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b96-87.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00050000000186a0-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 54 IoCs

resource	yara_rule
behavioral1/memory/2200-0-0x000000013F3E0000-0x000000013F734000-memory.dmp	UPX
behavioral1/files/0x0009000000016d24-6.dat	UPX
behavioral1/files/0x0007000000016d84-8.dat	UPX
behavioral1/files/0x0007000000017090-19.dat	UPX
behavioral1/files/0x000500000001868c-26.dat	UPX
behavioral1/memory/1568-31-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/files/0x00020000000180e5-32.dat	UPX
behavioral1/files/0x0006000000018ae8-46.dat	UPX
behavioral1/files/0x0006000000018b33-58.dat	UPX
behavioral1/files/0x0006000000018b42-67.dat	UPX
behavioral1/files/0x0006000000018b6a-73.dat	UPX
behavioral1/memory/940-105-0x000000013F0D0000-0x000000013F424000-memory.dmp	UPX
behavioral1/memory/1116-25-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	UPX
behavioral1/files/0x0006000000018ae2-117.dat	UPX
behavioral1/files/0x0006000000018b73-125.dat	UPX
behavioral1/files/0x00050000000192c9-129.dat	UPX
behavioral1/files/0x0006000000018d06-99.dat	UPX
behavioral1/files/0x0006000000018ba2-89.dat	UPX
behavioral1/memory/1152-82-0x000000013FEA0000-0x00000001401F4000-memory.dmp	UPX
behavioral1/files/0x0006000000018b4a-70.dat	UPX
behavioral1/files/0x0006000000018b37-59.dat	UPX
behavioral1/files/0x0006000000018b15-49.dat	UPX
behavioral1/files/0x0005000000018698-34.dat	UPX
behavioral1/memory/2360-14-0x000000013F730000-0x000000013FA84000-memory.dmp	UPX
behavioral1/memory/2360-106-0x000000013F730000-0x000000013FA84000-memory.dmp	UPX
behavioral1/files/0x00050000000192f4-104.dat	UPX
behavioral1/memory/2200-88-0x000000013F3E0000-0x000000013F734000-memory.dmp	UPX
behavioral1/files/0x0006000000018b96-87.dat	UPX
behavioral1/memory/1740-86-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX
behavioral1/memory/2028-77-0x000000013F690000-0x000000013F9E4000-memory.dmp	UPX
behavioral1/memory/524-65-0x000000013F430000-0x000000013F784000-memory.dmp	UPX
behavioral1/memory/948-41-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX
behavioral1/files/0x00050000000186a0-39.dat	UPX
behavioral1/memory/1532-33-0x000000013F1F0000-0x000000013F544000-memory.dmp	UPX
behavioral1/memory/2040-12-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/1568-131-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/memory/1532-132-0x000000013F1F0000-0x000000013F544000-memory.dmp	UPX
behavioral1/memory/948-133-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX
behavioral1/memory/524-134-0x000000013F430000-0x000000013F784000-memory.dmp	UPX
behavioral1/memory/1152-137-0x000000013FEA0000-0x00000001401F4000-memory.dmp	UPX
behavioral1/memory/1740-138-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX
behavioral1/memory/2028-136-0x000000013F690000-0x000000013F9E4000-memory.dmp	UPX
behavioral1/memory/940-139-0x000000013F0D0000-0x000000013F424000-memory.dmp	UPX
behavioral1/memory/2040-140-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/2360-141-0x000000013F730000-0x000000013FA84000-memory.dmp	UPX
behavioral1/memory/1116-142-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	UPX
behavioral1/memory/1568-143-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/memory/1532-144-0x000000013F1F0000-0x000000013F544000-memory.dmp	UPX
behavioral1/memory/524-150-0x000000013F430000-0x000000013F784000-memory.dmp	UPX
behavioral1/memory/940-149-0x000000013F0D0000-0x000000013F424000-memory.dmp	UPX
behavioral1/memory/1740-148-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX
behavioral1/memory/1152-147-0x000000013FEA0000-0x00000001401F4000-memory.dmp	UPX
behavioral1/memory/2028-146-0x000000013F690000-0x000000013F9E4000-memory.dmp	UPX
behavioral1/memory/948-145-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX

XMRig Miner payload 55 IoCs

miner

resource	yara_rule
behavioral1/memory/2200-0-0x000000013F3E0000-0x000000013F734000-memory.dmp	xmrig
behavioral1/files/0x0009000000016d24-6.dat	xmrig
behavioral1/files/0x0007000000016d84-8.dat	xmrig
behavioral1/files/0x0007000000017090-19.dat	xmrig
behavioral1/files/0x000500000001868c-26.dat	xmrig
behavioral1/memory/2200-29-0x00000000025F0000-0x0000000002944000-memory.dmp	xmrig
behavioral1/memory/1568-31-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/files/0x00020000000180e5-32.dat	xmrig
behavioral1/files/0x0006000000018ae8-46.dat	xmrig
behavioral1/files/0x0006000000018b33-58.dat	xmrig
behavioral1/files/0x0006000000018b42-67.dat	xmrig
behavioral1/files/0x0006000000018b6a-73.dat	xmrig
behavioral1/memory/940-105-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/memory/1116-25-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/files/0x0006000000018ae2-117.dat	xmrig
behavioral1/files/0x0006000000018b73-125.dat	xmrig
behavioral1/files/0x00050000000192c9-129.dat	xmrig
behavioral1/files/0x0006000000018d06-99.dat	xmrig
behavioral1/files/0x0006000000018ba2-89.dat	xmrig
behavioral1/memory/1152-82-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
behavioral1/files/0x0006000000018b4a-70.dat	xmrig
behavioral1/files/0x0006000000018b37-59.dat	xmrig
behavioral1/files/0x0006000000018b15-49.dat	xmrig
behavioral1/files/0x0005000000018698-34.dat	xmrig
behavioral1/memory/2360-14-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/memory/2360-106-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/files/0x00050000000192f4-104.dat	xmrig
behavioral1/memory/2200-88-0x000000013F3E0000-0x000000013F734000-memory.dmp	xmrig
behavioral1/files/0x0006000000018b96-87.dat	xmrig
behavioral1/memory/1740-86-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/2028-77-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/524-65-0x000000013F430000-0x000000013F784000-memory.dmp	xmrig
behavioral1/memory/948-41-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/files/0x00050000000186a0-39.dat	xmrig
behavioral1/memory/1532-33-0x000000013F1F0000-0x000000013F544000-memory.dmp	xmrig
behavioral1/memory/2040-12-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/1568-131-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/1532-132-0x000000013F1F0000-0x000000013F544000-memory.dmp	xmrig
behavioral1/memory/948-133-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/524-134-0x000000013F430000-0x000000013F784000-memory.dmp	xmrig
behavioral1/memory/1152-137-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
behavioral1/memory/1740-138-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/2028-136-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/940-139-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/memory/2040-140-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/2360-141-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/memory/1116-142-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/1568-143-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/1532-144-0x000000013F1F0000-0x000000013F544000-memory.dmp	xmrig
behavioral1/memory/524-150-0x000000013F430000-0x000000013F784000-memory.dmp	xmrig
behavioral1/memory/940-149-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/memory/1740-148-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/1152-147-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
behavioral1/memory/2028-146-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/948-145-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2040	wuKLeVs.exe
2360	AMKZnrs.exe
1116	pNsvUjT.exe
1568	iSNVXVE.exe
1532	RqlzIXz.exe
948	lhTmdFT.exe
2028	BvhdMfJ.exe
524	OunqxOS.exe
1152	lpEjHbX.exe
1740	tNnzTmb.exe
940	LXzyCbr.exe
960	XECShgQ.exe
2396	UyGQXyu.exe
1272	NyHjXmx.exe
1264	tZPAcij.exe
2012	BIXwIra.exe
268	enRRphX.exe
1736	OtbOUTA.exe
656	RnJUFOY.exe
2612	jlLlNEd.exe
2464	YCOWJhO.exe

Loads dropped DLL 21 IoCs

pid	Process
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2200-0-0x000000013F3E0000-0x000000013F734000-memory.dmp	upx
behavioral1/files/0x0009000000016d24-6.dat	upx
behavioral1/files/0x0007000000016d84-8.dat	upx
behavioral1/files/0x0007000000017090-19.dat	upx
behavioral1/files/0x000500000001868c-26.dat	upx
behavioral1/memory/1568-31-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/files/0x00020000000180e5-32.dat	upx
behavioral1/files/0x0006000000018ae8-46.dat	upx
behavioral1/files/0x0006000000018b33-58.dat	upx
behavioral1/files/0x0006000000018b42-67.dat	upx
behavioral1/files/0x0006000000018b6a-73.dat	upx
behavioral1/memory/940-105-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/memory/1116-25-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/files/0x0006000000018ae2-117.dat	upx
behavioral1/files/0x0006000000018b73-125.dat	upx
behavioral1/files/0x00050000000192c9-129.dat	upx
behavioral1/files/0x0006000000018d06-99.dat	upx
behavioral1/files/0x0006000000018ba2-89.dat	upx
behavioral1/memory/1152-82-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
behavioral1/files/0x0006000000018b4a-70.dat	upx
behavioral1/files/0x0006000000018b37-59.dat	upx
behavioral1/files/0x0006000000018b15-49.dat	upx
behavioral1/files/0x0005000000018698-34.dat	upx
behavioral1/memory/2360-14-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/memory/2360-106-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/files/0x00050000000192f4-104.dat	upx
behavioral1/memory/2200-88-0x000000013F3E0000-0x000000013F734000-memory.dmp	upx
behavioral1/files/0x0006000000018b96-87.dat	upx
behavioral1/memory/1740-86-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/memory/2028-77-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/524-65-0x000000013F430000-0x000000013F784000-memory.dmp	upx
behavioral1/memory/948-41-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/files/0x00050000000186a0-39.dat	upx
behavioral1/memory/1532-33-0x000000013F1F0000-0x000000013F544000-memory.dmp	upx
behavioral1/memory/2040-12-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/1568-131-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/1532-132-0x000000013F1F0000-0x000000013F544000-memory.dmp	upx
behavioral1/memory/948-133-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/524-134-0x000000013F430000-0x000000013F784000-memory.dmp	upx
behavioral1/memory/1152-137-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
behavioral1/memory/1740-138-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/memory/2028-136-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/940-139-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/memory/2040-140-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/2360-141-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/memory/1116-142-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/1568-143-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/1532-144-0x000000013F1F0000-0x000000013F544000-memory.dmp	upx
behavioral1/memory/524-150-0x000000013F430000-0x000000013F784000-memory.dmp	upx
behavioral1/memory/940-149-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/memory/1740-148-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/memory/1152-147-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
behavioral1/memory/2028-146-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/948-145-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\AMKZnrs.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RqlzIXz.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iSNVXVE.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BIXwIra.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OunqxOS.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jlLlNEd.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XECShgQ.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wuKLeVs.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pNsvUjT.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OtbOUTA.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YCOWJhO.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lhTmdFT.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lpEjHbX.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tNnzTmb.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RnJUFOY.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UyGQXyu.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NyHjXmx.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tZPAcij.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BvhdMfJ.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\enRRphX.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LXzyCbr.exe	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2040	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	32
PID 2200 wrote to memory of 2040	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	32
PID 2200 wrote to memory of 2040	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	32
PID 2200 wrote to memory of 2360	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	33
PID 2200 wrote to memory of 2360	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	33
PID 2200 wrote to memory of 2360	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	33
PID 2200 wrote to memory of 1116	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	34
PID 2200 wrote to memory of 1116	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	34
PID 2200 wrote to memory of 1116	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	34
PID 2200 wrote to memory of 1532	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	35
PID 2200 wrote to memory of 1532	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	35
PID 2200 wrote to memory of 1532	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	35
PID 2200 wrote to memory of 1568	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	36
PID 2200 wrote to memory of 1568	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	36
PID 2200 wrote to memory of 1568	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	36
PID 2200 wrote to memory of 1272	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	37
PID 2200 wrote to memory of 1272	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	37
PID 2200 wrote to memory of 1272	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	37
PID 2200 wrote to memory of 948	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	38
PID 2200 wrote to memory of 948	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	38
PID 2200 wrote to memory of 948	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	38
PID 2200 wrote to memory of 1264	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	39
PID 2200 wrote to memory of 1264	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	39
PID 2200 wrote to memory of 1264	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	39
PID 2200 wrote to memory of 2028	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	40
PID 2200 wrote to memory of 2028	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	40
PID 2200 wrote to memory of 2028	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	40
PID 2200 wrote to memory of 2012	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	41
PID 2200 wrote to memory of 2012	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	41
PID 2200 wrote to memory of 2012	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	41
PID 2200 wrote to memory of 524	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	42
PID 2200 wrote to memory of 524	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	42
PID 2200 wrote to memory of 524	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	42
PID 2200 wrote to memory of 268	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	43
PID 2200 wrote to memory of 268	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	43
PID 2200 wrote to memory of 268	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	43
PID 2200 wrote to memory of 1152	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	44
PID 2200 wrote to memory of 1152	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	44
PID 2200 wrote to memory of 1152	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	44
PID 2200 wrote to memory of 1736	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	45
PID 2200 wrote to memory of 1736	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	45
PID 2200 wrote to memory of 1736	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	45
PID 2200 wrote to memory of 1740	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	46
PID 2200 wrote to memory of 1740	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	46
PID 2200 wrote to memory of 1740	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	46
PID 2200 wrote to memory of 656	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	47
PID 2200 wrote to memory of 656	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	47
PID 2200 wrote to memory of 656	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	47
PID 2200 wrote to memory of 940	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	48
PID 2200 wrote to memory of 940	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	48
PID 2200 wrote to memory of 940	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	48
PID 2200 wrote to memory of 2612	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	49
PID 2200 wrote to memory of 2612	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	49
PID 2200 wrote to memory of 2612	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	49
PID 2200 wrote to memory of 960	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	50
PID 2200 wrote to memory of 960	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	50
PID 2200 wrote to memory of 960	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	50
PID 2200 wrote to memory of 2464	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	51
PID 2200 wrote to memory of 2464	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	51
PID 2200 wrote to memory of 2464	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	51
PID 2200 wrote to memory of 2396	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	52
PID 2200 wrote to memory of 2396	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	52
PID 2200 wrote to memory of 2396	2200	2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_4d1bdec09a8a0e958c35440e431477af_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\System\wuKLeVs.exe
  C:\Windows\System\wuKLeVs.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System\AMKZnrs.exe
  C:\Windows\System\AMKZnrs.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\pNsvUjT.exe
  C:\Windows\System\pNsvUjT.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\RqlzIXz.exe
  C:\Windows\System\RqlzIXz.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\iSNVXVE.exe
  C:\Windows\System\iSNVXVE.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\NyHjXmx.exe
  C:\Windows\System\NyHjXmx.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System\lhTmdFT.exe
  C:\Windows\System\lhTmdFT.exe
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\System\tZPAcij.exe
  C:\Windows\System\tZPAcij.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System\BvhdMfJ.exe
  C:\Windows\System\BvhdMfJ.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\BIXwIra.exe
  C:\Windows\System\BIXwIra.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\OunqxOS.exe
  C:\Windows\System\OunqxOS.exe
  2⤵
  - Executes dropped EXE
  PID:524
- C:\Windows\System\enRRphX.exe
  C:\Windows\System\enRRphX.exe
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Windows\System\lpEjHbX.exe
  C:\Windows\System\lpEjHbX.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System\OtbOUTA.exe
  C:\Windows\System\OtbOUTA.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\tNnzTmb.exe
  C:\Windows\System\tNnzTmb.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\RnJUFOY.exe
  C:\Windows\System\RnJUFOY.exe
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\System\LXzyCbr.exe
  C:\Windows\System\LXzyCbr.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System\jlLlNEd.exe
  C:\Windows\System\jlLlNEd.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\XECShgQ.exe
  C:\Windows\System\XECShgQ.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System\YCOWJhO.exe
  C:\Windows\System\YCOWJhO.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System\UyGQXyu.exe
  C:\Windows\System\UyGQXyu.exe
  2⤵
  - Executes dropped EXE
  PID:2396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\LXzyCbr.exe

Filesize
5.9MB

MD5
48c17a3e8b82c29a2225aff1eab983a0

SHA1
a4dbe6ab8b5a4f40ba9875db2f8e6401c5672123

SHA256
549fecb00383b15be5a3fec3e7530758f22023f17c71d7d1b5459ca3816d02dd

SHA512
5623f07b45f8288a2ebd449985622749060389ce64efeaec2dd436b4c4ff2fbc5647c1e9dd9d938847bc1b7346f26f8c47eb644560ca6d78745b833a0ee56323

Download Submit
C:\Windows\system\OunqxOS.exe

Filesize
5.9MB

MD5
132e3a5414ec163629060acb36e0f5e2

SHA1
6347874cca892d6f391c4d49f4188279b19b6800

SHA256
f5658b6ab30484351823ee8a6d89466577f6e4d3ef7151a0344fdcda172668e6

SHA512
930e07138bf2ef02223beb815e7db74f5b70d99e9310b6bd055ec41d120d9e475a3c2534c138935b34230b53b188d2fdc4aabd4cc786bd53c9eae76e5b353cc2

Download Submit
C:\Windows\system\RnJUFOY.exe

Filesize
5.9MB

MD5
3e24c260ee47219525136265def85f3c

SHA1
6189e3adfcf15b43c409c44448ab26c850b36f53

SHA256
d24275d5786fbe27b87b5f856f11b21f0b8b45649a7f58210a9d041ad7f3aead

SHA512
ad4f1c279a5ad6218b7951047b483758802268911ac1c68d2f0066ffd08077ca5bbfb1fee9c7f3e6d6ffef48c4539e6cecd8f1f43f6b57669206850df8472268

Download Submit
C:\Windows\system\RqlzIXz.exe

Filesize
5.9MB

MD5
8f3b1ba2b225aa681c33015f64c9751e

SHA1
e4d441e8ee8766c3f5974dc5e7745188ec131443

SHA256
4c5649d0f17bd481ab1b8ca4ebbaacbbc6c39770ac7a2e24d88b9aba56074820

SHA512
fa12d6761f177cdedadced437283d8e6f165e3f05ec8d4079ff68ac5f76e691234fcd1621cf2768c5836c22787c7a4db656ced93eff1a443d3bc66ecb9d2c407

Download Submit
C:\Windows\system\UyGQXyu.exe

Filesize
5.9MB

MD5
a5f30131b2adf491c928d1ccaa36b057

SHA1
8ec1d23749e1b3c7bb55374628995bcf8f27ada3

SHA256
dd915a45f41002c3be41a04472db9173358a4a56ce9258293ce107f57973fae8

SHA512
89724d643885b1e34cdc851abd2a45e4da9199530f4bdffe3c1e190f21e58e4b8602345738f9eb6e35e5fac99a4319c4bce7c06f9d709d4dad54c1693be813ff

Download Submit
C:\Windows\system\XECShgQ.exe

Filesize
5.9MB

MD5
e31525f99b9efca55bef2fa749f56707

SHA1
d40bb95a4e9b75a2f802b0e4e109dd7dbd996901

SHA256
82d70b26efa6634ea8c8cd4b4f98f372c967d84cecf8bfc3fa4a5e4c39354bb0

SHA512
d252b097af278898ac02166575344f851d355aed50d36b4c0e370d57ea9d6695cb7d7e2bc26721d0cb2fcd636e1b3d8ffd3eceec4319230b46a126931083aa7b

Download Submit
C:\Windows\system\YCOWJhO.exe

Filesize
5.9MB

MD5
45bec6c5f2e9c5c862028ded042cc7a5

SHA1
af11615e9f4438bc04ccb7f2ef22aba45ae5d156

SHA256
c67425233b04b068b9fcef96da0bed19781002c9aabdc713558e649aef808633

SHA512
a72fd9df5aa24456a9c4f5cb4453b1cd64e24e1b084b8bf9b1f23967591b821f67957bbe2ea2435e8c148aab4b01c2a61a09de687cfd044b289988813072b279

Download Submit
C:\Windows\system\lhTmdFT.exe

Filesize
5.9MB

MD5
a16c159abf36936fa3051a4d8edec374

SHA1
01cf114515a0cf4e8096ca5e58af270e0e8f1ef8

SHA256
9773b700fbe0623ab8d55ccdb54c06a4e3bc0422d92fa905d45c911ced0df6f1

SHA512
48ec2e320f0fe0aa9ab6d02328c4de8584872ebcd8e2acc336cb12594df918d73cb1adaf7dca20a333f27fde9c6a36d193495ac7e20fa033969c438d72b9d664

Download Submit
C:\Windows\system\lpEjHbX.exe

Filesize
5.9MB

MD5
74adc1607c42dbee38d4c667eaab9a16

SHA1
5739c96d58deec17c08ead5cf738a03dcbe3e904

SHA256
3333537306815b340aef2b6ffd12101673ddd0777bc00fb8246406ec60503169

SHA512
5ef629b6f08a4f3ffa6097ef321d064c383870266d812d470bb36227ceb1a504b790a4a2b068dae8d6369c7c164b4ae41fa1c18b7f808d0175020c3192af1120

Download Submit
C:\Windows\system\pNsvUjT.exe

Filesize
5.9MB

MD5
8c96a32adb62c4d968da750fa48ba1f9

SHA1
290690e496545e6df3ef6106888f83fb9c8757ab

SHA256
ea649f80ea4e99dd7aa90ffb4527e1ada631df7dcdc4ff13b3a712900a94bd96

SHA512
db0e542e9118580114dab80bf149bed625fd2864717caa79d3830c728cf3bff21002a76cef72e9c03a1554baa43b6215c65798ae67b986dc47f92033023431a0

Download Submit
C:\Windows\system\tZPAcij.exe

Filesize
5.9MB

MD5
8a4042e7c129a4e28ff8669873743cce

SHA1
0584593aa89dfce91ae21e3fe005bb007163b18b

SHA256
9a12a2315be9f0f9ed5310e4ec9dcf64265d63b7fb5e8da17c965aabb51aad92

SHA512
253d6346565bb0deb8dd1f62b1b29ea2319df81538dd84a92d13f2aae61fa8343ff679abfe33dc2d0fff3e3af14db233b16969b83c92f6052dc7daaf96709098

Download Submit
C:\Windows\system\wuKLeVs.exe

Filesize
5.9MB

MD5
2d71dd83620b697f9caf3ebbbe9b9147

SHA1
92034de4be019b1f4048f7c80fb0d21d6459ced4

SHA256
d86ee3c75449fe8cf06a146002e61fcabfd2250bdc9fe02078216d7a8d471d82

SHA512
eda65577f540349658d610634df4cbfaa843824f706911506cb80f3a5ea111f6547e0f29f8289de1e78aaa9d28a565fb70bee94cd9b811d8734ad381c4c6cf4c

Download Submit
\Windows\system\AMKZnrs.exe

Filesize
5.9MB

MD5
1e5f001d36f661d52ca2702139b5983a

SHA1
608ba22d1791b9a0e1723b747047e42f70caa98a

SHA256
b21d699a426be3eee3d5afca8072977d4a69ad57cb513383023733751e672610

SHA512
870ec8970979c474f37e9d05693966390af3e20246fc1f7041a10646e419ed96e84c9a6eaad8d8b3ff69103cf4f7d302159703a4da5180297919386c4854f054

Download Submit
\Windows\system\BIXwIra.exe

Filesize
5.9MB

MD5
522b8f0c3fabf62558ca8d86dfe76c70

SHA1
7c41e792b7692cec45151c043938d86e84a418d7

SHA256
e063c246a549b13ebbd94397424ecbc4e07078aa1d8f2d91a05659362d343b0b

SHA512
6758270ff9427bef5ee91976ffdfb3a9f990389570f1b9d864b1a9f6ed13ab00b655ff8f7d5e3ae976cdaafefe6b55f03c99c839385234b614ef13fa443d854f

Download Submit
\Windows\system\BvhdMfJ.exe

Filesize
5.9MB

MD5
0f5543f7d0a52373d2aa769a444d8de6

SHA1
604041eb0972c1e687a620ed42157d09dbc59466

SHA256
3eeb126152be954ed7ba124e4c9ecea5c619a6a3fcdde5b52ca86a98264c05b6

SHA512
042c10d13d593238dbd58298a22f97db4b145d7b3c25077f9bc42b945ba939d823cc10a1b56290986fd220c3fd50c49143f510e2a7e31cef477095165269fe9e

Download Submit
\Windows\system\NyHjXmx.exe

Filesize
5.9MB

MD5
bd211541b32315784394eb65557a2500

SHA1
6f5f64e43b953832d5de38a9abb170dc6aae1e46

SHA256
1891e2958e4f0c1620a5ae458efdbd06742ad634a4ade2e75d7d11d067c895aa

SHA512
a08f1677366f2191963a40702926928ec5dc2c6bff241b5abdee2f68ec4e45e207b78ba2545f1ba4402a91179ead67aeb97ea7ef765a310e664578f535a2911d

Download Submit
\Windows\system\OtbOUTA.exe

Filesize
5.9MB

MD5
3c4d9d960b52dfa86c72aef70abf66ef

SHA1
1d4d8aa6740f52c34e8c53401beb08e52d3a92d0

SHA256
ede814e1bd8a663c68cc340991b3134eb940f8fd40dae02009b350e804378c97

SHA512
093d95823f0b65dfd5e8d961b04c405c4da1dddfb5e7ca103a3ab3fe238679e889b4a6482d7fcc6e2a7b73063f68a97b519f49e0ad1fe4756babd4ea2f12bce4

Download Submit
\Windows\system\enRRphX.exe

Filesize
5.9MB

MD5
21696647e7fd9954916289d8571f9db0

SHA1
d7e68769b8e8bfa7fdf92d1310fe583ac3d06d6f

SHA256
eeb85fe08fa461044d23490a86f7718a37bafbd7a4fd3cdecb5b16b2a6309b63

SHA512
fd1acb2f9f36075448e4fb2f53cfb0b843514217aa403a1609c94043ca405129f13064d924ae763c30f47770f9cc233bcb7729cb2fc4af0cffc3794c8fa95a16

Download Submit
\Windows\system\iSNVXVE.exe

Filesize
5.9MB

MD5
966c6fc823c5233aab3d479edb2c1004

SHA1
5427f5939f17a19b221c8fd22d7c49ee4d40a2d7

SHA256
44c9f4161a3c1effc13d41c31b79f3249fc3e7f21f667ed5419d12d7b97a3619

SHA512
0e9a5f77131daba24764a80959cbc05b33f5ef8e80acc4b52683c5ddadb12b9ca16ceb2ca584bfcdf1cc0ed2cb497a0dac85179b47e060bf3d9f76a2569b6c94

Download Submit
\Windows\system\jlLlNEd.exe

Filesize
5.9MB

MD5
ba8ad186dc03d9c552c12096c80bdb0b

SHA1
2d4d283e574287fc8225aca47a4d402d55373f24

SHA256
826ad1643c173d8fe3539499cf1c3d2418a25c4913de64caa7d18e741cb1bf7e

SHA512
9fac51849af4f01c06df48bfd9f073203fdb4028498e3a04f7fde0b5c1a0d05713a26ebea47b6fd27309ab44171631fd463b8de5894e3f3767ad3f3e18de49f9

Download Submit
\Windows\system\tNnzTmb.exe

Filesize
5.9MB

MD5
9d8a317b8dc1eb605818ea744f53f98d

SHA1
50198e3f974a95a75dfbfd89585fc30a13bbec1e

SHA256
07c1b4d86618e5fe23a398f89e36e60e57b637bf9b2c6a44ac788990108651b7

SHA512
cda2631fcd341854c0903feb9dc23b1700f62a525cb859a8aa65c7641c794457f7d5757e65c01e469be3424662f5f480419a3ae8ecf3ab2617c9d3d9800f0165

Download Submit
memory/524-150-0x000000013F430000-0x000000013F784000-memory.dmp

Filesize
3.3MB

Download
memory/524-65-0x000000013F430000-0x000000013F784000-memory.dmp

Filesize
3.3MB

Download
memory/524-134-0x000000013F430000-0x000000013F784000-memory.dmp

Filesize
3.3MB

Download
memory/940-139-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/940-149-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/940-105-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/948-133-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/948-41-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/948-145-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/1116-25-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/1116-142-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/1152-137-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/1152-82-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/1152-147-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/1532-132-0x000000013F1F0000-0x000000013F544000-memory.dmp

Filesize
3.3MB

Download
memory/1532-144-0x000000013F1F0000-0x000000013F544000-memory.dmp

Filesize
3.3MB

Download
memory/1532-33-0x000000013F1F0000-0x000000013F544000-memory.dmp

Filesize
3.3MB

Download
memory/1568-143-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/1568-31-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/1568-131-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/1740-148-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/1740-138-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/1740-86-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-77-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-146-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-136-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2040-140-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2040-12-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2200-88-0x000000013F3E0000-0x000000013F734000-memory.dmp

Filesize
3.3MB

Download
memory/2200-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2200-135-0x00000000025F0000-0x0000000002944000-memory.dmp

Filesize
3.3MB

Download
memory/2200-62-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2200-15-0x00000000025F0000-0x0000000002944000-memory.dmp

Filesize
3.3MB

Download
memory/2200-0-0x000000013F3E0000-0x000000013F734000-memory.dmp

Filesize
3.3MB

Download
memory/2200-92-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2200-23-0x00000000025F0000-0x0000000002944000-memory.dmp

Filesize
3.3MB

Download
memory/2200-29-0x00000000025F0000-0x0000000002944000-memory.dmp

Filesize
3.3MB

Download
memory/2200-95-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2200-55-0x00000000025F0000-0x0000000002944000-memory.dmp

Filesize
3.3MB

Download
memory/2200-103-0x00000000025F0000-0x0000000002944000-memory.dmp

Filesize
3.3MB

Download
memory/2200-69-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2200-68-0x00000000025F0000-0x0000000002944000-memory.dmp

Filesize
3.3MB

Download
memory/2200-78-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/2360-106-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/2360-141-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/2360-14-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download