cobaltstrike | c1180157a099b216c8986096e87777e4096d77990e8a3ee8d3cc96725c41c534

Analysis

max time kernel
146s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

fc15ab6ace4e054c96296fa2f814a4e1
SHA1

0f02631eba63a8000d1b4b5e919e12321fb729a0
SHA256

c1180157a099b216c8986096e87777e4096d77990e8a3ee8d3cc96725c41c534
SHA512

0b84a631f6c4988c5e9907b7b506888f4f86882bf0536d84d8bb00d3482d6147bde4fe54b03a5cf0a5df0c96a2c3e1651bd9f9a114ba7a2fb202cffd163d24cc
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUQ:T+856utgpPF8u/7Q

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a00000001466c-3.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000155e2-26.dat	cobalt_reflective_dll
behavioral1/files/0x000c000000014ec4-10.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001663d-116.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016476-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016283-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016042-73.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015eaf-63.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015e6f-52.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015e41-42.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015a98-34.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000167db-105.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000165ae-97.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016332-88.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001604b-78.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ec0-71.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015e7c-60.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015e5b-50.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015c2f-49.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001560a-33.dat	cobalt_reflective_dll
behavioral1/files/0x000c000000014fe1-17.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001466c-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00080000000155e2-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000c000000014ec4-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001663d-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016476-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016283-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016042-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015eaf-63.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015e6f-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015e41-42.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015a98-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000167db-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000165ae-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016332-88.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001604b-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ec0-71.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015e7c-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015e5b-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015c2f-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001560a-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000c000000014fe1-17.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 54 IoCs

resource	yara_rule
behavioral1/memory/2072-0-0x000000013F6C0000-0x000000013FA14000-memory.dmp	UPX
behavioral1/files/0x000a00000001466c-3.dat	UPX
behavioral1/files/0x00080000000155e2-26.dat	UPX
behavioral1/memory/2832-28-0x000000013F5B0000-0x000000013F904000-memory.dmp	UPX
behavioral1/memory/1896-12-0x000000013F8F0000-0x000000013FC44000-memory.dmp	UPX
behavioral1/files/0x000c000000014ec4-10.dat	UPX
behavioral1/memory/2000-20-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
behavioral1/files/0x000600000001663d-116.dat	UPX
behavioral1/files/0x0006000000016476-90.dat	UPX
behavioral1/files/0x0006000000016283-82.dat	UPX
behavioral1/files/0x0006000000016042-73.dat	UPX
behavioral1/memory/2504-66-0x000000013F230000-0x000000013F584000-memory.dmp	UPX
behavioral1/files/0x0006000000015eaf-63.dat	UPX
behavioral1/memory/2088-56-0x000000013F510000-0x000000013F864000-memory.dmp	UPX
behavioral1/files/0x0006000000015e6f-52.dat	UPX
behavioral1/files/0x0006000000015e41-42.dat	UPX
behavioral1/files/0x0008000000015a98-34.dat	UPX
behavioral1/files/0x00060000000167db-105.dat	UPX
behavioral1/files/0x00060000000165ae-97.dat	UPX
behavioral1/memory/364-96-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2764-89-0x000000013F040000-0x000000013F394000-memory.dmp	UPX
behavioral1/files/0x0006000000016332-88.dat	UPX
behavioral1/memory/2344-81-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/files/0x000600000001604b-78.dat	UPX
behavioral1/memory/2372-72-0x000000013F830000-0x000000013FB84000-memory.dmp	UPX
behavioral1/files/0x0006000000015ec0-71.dat	UPX
behavioral1/files/0x0006000000015e7c-60.dat	UPX
behavioral1/files/0x0006000000015e5b-50.dat	UPX
behavioral1/files/0x0007000000015c2f-49.dat	UPX
behavioral1/memory/2456-48-0x000000013FF30000-0x0000000140284000-memory.dmp	UPX
behavioral1/files/0x000700000001560a-33.dat	UPX
behavioral1/memory/2072-133-0x000000013F6C0000-0x000000013FA14000-memory.dmp	UPX
behavioral1/memory/2116-134-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
behavioral1/memory/2116-18-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
behavioral1/files/0x000c000000014fe1-17.dat	UPX
behavioral1/memory/2000-135-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
behavioral1/memory/2832-137-0x000000013F5B0000-0x000000013F904000-memory.dmp	UPX
behavioral1/memory/2088-138-0x000000013F510000-0x000000013F864000-memory.dmp	UPX
behavioral1/memory/2372-139-0x000000013F830000-0x000000013FB84000-memory.dmp	UPX
behavioral1/memory/2504-140-0x000000013F230000-0x000000013F584000-memory.dmp	UPX
behavioral1/memory/364-142-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2764-141-0x000000013F040000-0x000000013F394000-memory.dmp	UPX
behavioral1/memory/2344-143-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/1896-144-0x000000013F8F0000-0x000000013FC44000-memory.dmp	UPX
behavioral1/memory/2116-145-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
behavioral1/memory/2000-146-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
behavioral1/memory/2832-147-0x000000013F5B0000-0x000000013F904000-memory.dmp	UPX
behavioral1/memory/2456-148-0x000000013FF30000-0x0000000140284000-memory.dmp	UPX
behavioral1/memory/2372-150-0x000000013F830000-0x000000013FB84000-memory.dmp	UPX
behavioral1/memory/2764-152-0x000000013F040000-0x000000013F394000-memory.dmp	UPX
behavioral1/memory/364-153-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2344-151-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/2088-149-0x000000013F510000-0x000000013F864000-memory.dmp	UPX
behavioral1/memory/2504-154-0x000000013F230000-0x000000013F584000-memory.dmp	UPX

XMRig Miner payload 55 IoCs

miner

resource	yara_rule
behavioral1/memory/2072-0-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/files/0x000a00000001466c-3.dat	xmrig
behavioral1/files/0x00080000000155e2-26.dat	xmrig
behavioral1/memory/2832-28-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/1896-12-0x000000013F8F0000-0x000000013FC44000-memory.dmp	xmrig
behavioral1/files/0x000c000000014ec4-10.dat	xmrig
behavioral1/memory/2000-20-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/files/0x000600000001663d-116.dat	xmrig
behavioral1/files/0x0006000000016476-90.dat	xmrig
behavioral1/files/0x0006000000016283-82.dat	xmrig
behavioral1/files/0x0006000000016042-73.dat	xmrig
behavioral1/memory/2504-66-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/files/0x0006000000015eaf-63.dat	xmrig
behavioral1/memory/2088-56-0x000000013F510000-0x000000013F864000-memory.dmp	xmrig
behavioral1/files/0x0006000000015e6f-52.dat	xmrig
behavioral1/files/0x0006000000015e41-42.dat	xmrig
behavioral1/files/0x0008000000015a98-34.dat	xmrig
behavioral1/files/0x00060000000167db-105.dat	xmrig
behavioral1/files/0x00060000000165ae-97.dat	xmrig
behavioral1/memory/364-96-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2764-89-0x000000013F040000-0x000000013F394000-memory.dmp	xmrig
behavioral1/files/0x0006000000016332-88.dat	xmrig
behavioral1/memory/2344-81-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/files/0x000600000001604b-78.dat	xmrig
behavioral1/memory/2372-72-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/files/0x0006000000015ec0-71.dat	xmrig
behavioral1/memory/2072-70-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/files/0x0006000000015e7c-60.dat	xmrig
behavioral1/files/0x0006000000015e5b-50.dat	xmrig
behavioral1/files/0x0007000000015c2f-49.dat	xmrig
behavioral1/memory/2456-48-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/files/0x000700000001560a-33.dat	xmrig
behavioral1/memory/2072-133-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/2116-134-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/2116-18-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/files/0x000c000000014fe1-17.dat	xmrig
behavioral1/memory/2000-135-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2832-137-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/2088-138-0x000000013F510000-0x000000013F864000-memory.dmp	xmrig
behavioral1/memory/2372-139-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2504-140-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/364-142-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2764-141-0x000000013F040000-0x000000013F394000-memory.dmp	xmrig
behavioral1/memory/2344-143-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/1896-144-0x000000013F8F0000-0x000000013FC44000-memory.dmp	xmrig
behavioral1/memory/2116-145-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/2000-146-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2832-147-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/2456-148-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/memory/2372-150-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2764-152-0x000000013F040000-0x000000013F394000-memory.dmp	xmrig
behavioral1/memory/364-153-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2344-151-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/2088-149-0x000000013F510000-0x000000013F864000-memory.dmp	xmrig
behavioral1/memory/2504-154-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1896	dnrXHlM.exe
2116	oquXnGD.exe
2000	LCvDlZY.exe
2832	uUkXdJi.exe
2456	GkQGYnA.exe
2504	kuUVRhp.exe
2088	uuGLKwW.exe
2372	zZDFgnt.exe
2344	TAfBwjJ.exe
2764	WZocqjM.exe
364	ixFQUBu.exe
1480	AturJpk.exe
2232	OBQwlVo.exe
2592	uNBiqPS.exe
2548	rOWDkGy.exe
2544	YRFXyDa.exe
1156	uOLsMMO.exe
2424	Kjpndym.exe
2084	HchltEG.exe
1488	GOsbyZi.exe
1884	DlerGzN.exe

Loads dropped DLL 21 IoCs

pid	Process
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2072-0-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/files/0x000a00000001466c-3.dat	upx
behavioral1/files/0x00080000000155e2-26.dat	upx
behavioral1/memory/2832-28-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
behavioral1/memory/1896-12-0x000000013F8F0000-0x000000013FC44000-memory.dmp	upx
behavioral1/files/0x000c000000014ec4-10.dat	upx
behavioral1/memory/2000-20-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/files/0x000600000001663d-116.dat	upx
behavioral1/files/0x0006000000016476-90.dat	upx
behavioral1/files/0x0006000000016283-82.dat	upx
behavioral1/files/0x0006000000016042-73.dat	upx
behavioral1/memory/2504-66-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/files/0x0006000000015eaf-63.dat	upx
behavioral1/memory/2088-56-0x000000013F510000-0x000000013F864000-memory.dmp	upx
behavioral1/files/0x0006000000015e6f-52.dat	upx
behavioral1/files/0x0006000000015e41-42.dat	upx
behavioral1/files/0x0008000000015a98-34.dat	upx
behavioral1/files/0x00060000000167db-105.dat	upx
behavioral1/files/0x00060000000165ae-97.dat	upx
behavioral1/memory/364-96-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2764-89-0x000000013F040000-0x000000013F394000-memory.dmp	upx
behavioral1/files/0x0006000000016332-88.dat	upx
behavioral1/memory/2344-81-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/files/0x000600000001604b-78.dat	upx
behavioral1/memory/2372-72-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/files/0x0006000000015ec0-71.dat	upx
behavioral1/files/0x0006000000015e7c-60.dat	upx
behavioral1/files/0x0006000000015e5b-50.dat	upx
behavioral1/files/0x0007000000015c2f-49.dat	upx
behavioral1/memory/2456-48-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/files/0x000700000001560a-33.dat	upx
behavioral1/memory/2072-133-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/memory/2116-134-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/2116-18-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/files/0x000c000000014fe1-17.dat	upx
behavioral1/memory/2000-135-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2832-137-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
behavioral1/memory/2088-138-0x000000013F510000-0x000000013F864000-memory.dmp	upx
behavioral1/memory/2372-139-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2504-140-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/364-142-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2764-141-0x000000013F040000-0x000000013F394000-memory.dmp	upx
behavioral1/memory/2344-143-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/1896-144-0x000000013F8F0000-0x000000013FC44000-memory.dmp	upx
behavioral1/memory/2116-145-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/2000-146-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2832-147-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
behavioral1/memory/2456-148-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/memory/2372-150-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2764-152-0x000000013F040000-0x000000013F394000-memory.dmp	upx
behavioral1/memory/364-153-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2344-151-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/2088-149-0x000000013F510000-0x000000013F864000-memory.dmp	upx
behavioral1/memory/2504-154-0x000000013F230000-0x000000013F584000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\LCvDlZY.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Kjpndym.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WZocqjM.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GOsbyZi.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dnrXHlM.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oquXnGD.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uNBiqPS.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kuUVRhp.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YRFXyDa.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uOLsMMO.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TAfBwjJ.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uuGLKwW.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zZDFgnt.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HchltEG.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ixFQUBu.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AturJpk.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OBQwlVo.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uUkXdJi.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GkQGYnA.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rOWDkGy.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DlerGzN.exe	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 1896	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	29
PID 2072 wrote to memory of 1896	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	29
PID 2072 wrote to memory of 1896	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	29
PID 2072 wrote to memory of 2116	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	30
PID 2072 wrote to memory of 2116	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	30
PID 2072 wrote to memory of 2116	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	30
PID 2072 wrote to memory of 2000	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	31
PID 2072 wrote to memory of 2000	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	31
PID 2072 wrote to memory of 2000	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	31
PID 2072 wrote to memory of 2832	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	32
PID 2072 wrote to memory of 2832	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	32
PID 2072 wrote to memory of 2832	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	32
PID 2072 wrote to memory of 2456	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	33
PID 2072 wrote to memory of 2456	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	33
PID 2072 wrote to memory of 2456	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	33
PID 2072 wrote to memory of 2592	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	34
PID 2072 wrote to memory of 2592	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	34
PID 2072 wrote to memory of 2592	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	34
PID 2072 wrote to memory of 2504	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	35
PID 2072 wrote to memory of 2504	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	35
PID 2072 wrote to memory of 2504	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	35
PID 2072 wrote to memory of 2548	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	36
PID 2072 wrote to memory of 2548	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	36
PID 2072 wrote to memory of 2548	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	36
PID 2072 wrote to memory of 2088	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	37
PID 2072 wrote to memory of 2088	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	37
PID 2072 wrote to memory of 2088	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	37
PID 2072 wrote to memory of 2544	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	38
PID 2072 wrote to memory of 2544	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	38
PID 2072 wrote to memory of 2544	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	38
PID 2072 wrote to memory of 2372	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	39
PID 2072 wrote to memory of 2372	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	39
PID 2072 wrote to memory of 2372	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	39
PID 2072 wrote to memory of 1156	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	40
PID 2072 wrote to memory of 1156	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	40
PID 2072 wrote to memory of 1156	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	40
PID 2072 wrote to memory of 2344	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	41
PID 2072 wrote to memory of 2344	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	41
PID 2072 wrote to memory of 2344	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	41
PID 2072 wrote to memory of 2424	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	42
PID 2072 wrote to memory of 2424	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	42
PID 2072 wrote to memory of 2424	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	42
PID 2072 wrote to memory of 2764	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	43
PID 2072 wrote to memory of 2764	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	43
PID 2072 wrote to memory of 2764	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	43
PID 2072 wrote to memory of 2084	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	44
PID 2072 wrote to memory of 2084	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	44
PID 2072 wrote to memory of 2084	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	44
PID 2072 wrote to memory of 364	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	45
PID 2072 wrote to memory of 364	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	45
PID 2072 wrote to memory of 364	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	45
PID 2072 wrote to memory of 1488	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	46
PID 2072 wrote to memory of 1488	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	46
PID 2072 wrote to memory of 1488	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	46
PID 2072 wrote to memory of 1480	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	47
PID 2072 wrote to memory of 1480	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	47
PID 2072 wrote to memory of 1480	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	47
PID 2072 wrote to memory of 1884	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	48
PID 2072 wrote to memory of 1884	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	48
PID 2072 wrote to memory of 1884	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	48
PID 2072 wrote to memory of 2232	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	49
PID 2072 wrote to memory of 2232	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	49
PID 2072 wrote to memory of 2232	2072	2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_fc15ab6ace4e054c96296fa2f814a4e1_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\System\dnrXHlM.exe
  C:\Windows\System\dnrXHlM.exe
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\System\oquXnGD.exe
  C:\Windows\System\oquXnGD.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\LCvDlZY.exe
  C:\Windows\System\LCvDlZY.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\uUkXdJi.exe
  C:\Windows\System\uUkXdJi.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\GkQGYnA.exe
  C:\Windows\System\GkQGYnA.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\uNBiqPS.exe
  C:\Windows\System\uNBiqPS.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\kuUVRhp.exe
  C:\Windows\System\kuUVRhp.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\rOWDkGy.exe
  C:\Windows\System\rOWDkGy.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\uuGLKwW.exe
  C:\Windows\System\uuGLKwW.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\YRFXyDa.exe
  C:\Windows\System\YRFXyDa.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\zZDFgnt.exe
  C:\Windows\System\zZDFgnt.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\uOLsMMO.exe
  C:\Windows\System\uOLsMMO.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\TAfBwjJ.exe
  C:\Windows\System\TAfBwjJ.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\Kjpndym.exe
  C:\Windows\System\Kjpndym.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\WZocqjM.exe
  C:\Windows\System\WZocqjM.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\HchltEG.exe
  C:\Windows\System\HchltEG.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\ixFQUBu.exe
  C:\Windows\System\ixFQUBu.exe
  2⤵
  - Executes dropped EXE
  PID:364
- C:\Windows\System\GOsbyZi.exe
  C:\Windows\System\GOsbyZi.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\AturJpk.exe
  C:\Windows\System\AturJpk.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\DlerGzN.exe
  C:\Windows\System\DlerGzN.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System\OBQwlVo.exe
  C:\Windows\System\OBQwlVo.exe
  2⤵
  - Executes dropped EXE
  PID:2232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AturJpk.exe

Filesize
5.9MB

MD5
0bfa8d7e5a6904774041e6ca3c3f5e4f

SHA1
ec1a2434463155e1e0e529ad3a96f3983f875d2b

SHA256
f0e2349364f7faa70b63525ac8e3068ca62436a050d78d8785da68987e66b4f4

SHA512
8f2359f6aeac468803bf33363a0ba8747b9677ed4bd4b577c40b2beea790a4e2aa2a16496c0478bc22e62e784fc01c2f34d44d1678388f5ff27c680a200ef1f9

Download Submit
C:\Windows\system\DlerGzN.exe

Filesize
5.9MB

MD5
fb6f395f5fa0cb64b1f05eafd5fde79d

SHA1
3d8676559e9f2a143756218d34f80e29a8b5866c

SHA256
3cf9dd846c1da99e435dbd6be036912e9f446c7f62a01230d1c3d1dff28527f6

SHA512
748a5bf8a9cca9adefcd9549a004132ea1e2eed28b2731783739e2eee4c92cd9878d2f90375b72cbe64387a5b39a67b33834886dd65e91bc158b1a1013c39770

Download Submit
C:\Windows\system\GkQGYnA.exe

Filesize
5.9MB

MD5
e6d15d371b239e80f94d04a2099af628

SHA1
ba8edc2adfb6721f006962ebe49995563aa60a6b

SHA256
346c54100519dabdf6024b6caa35c743150737f17bcf24683e6c872d0b2846dc

SHA512
1e869612bc161f59d4527fbeb777cf58caff350582172b64e651c55cc9663b392b725e924155d1d8a245b90a1b10b5b166482f9839ef74f821487cbd4cdc6aae

Download Submit
C:\Windows\system\LCvDlZY.exe

Filesize
5.9MB

MD5
631ce5d8cbe1676649d0f875881c7fd2

SHA1
4df27b86314da2872b8b742c47f4bfee8f3f3cd2

SHA256
023213e4293b5a58aed2b3b494fbc3585b2ad9df75ef7a00c30d4b6a3e319e49

SHA512
06b77e35c22cf1098fb6ee7c96b0abcbec5fb9619c29428c83e294298b32a394232cb0cc36a9b81d9c2c718cfa9b821bb529afa1f383fee443f0a3a4420a01be

Download Submit
C:\Windows\system\OBQwlVo.exe

Filesize
5.9MB

MD5
410ebb6ed7a8ae631e47da5b52df6089

SHA1
d0e60f103cad2a62a3ef6e758e0d727f277aa01a

SHA256
ff6777d6843998fd17f8539ea0a59f882c6c42b898401b3f59d1dd94c02487e0

SHA512
31c28df30b06c50ea890a901dd65f07b62d9566e6822fd53b1fadfb6dd4647d291605a39fa5dc6696eefb2b377d2ed465c83efa20306c795c09eb0b637dcbea4

Download Submit
C:\Windows\system\TAfBwjJ.exe

Filesize
5.9MB

MD5
1fef4654bde1782448ad383e8ab71788

SHA1
6e6272074793b79a6483b365cb1702845527f3e0

SHA256
310a4cac49ee5f324556eed963b3bb624d39fff7a7b1f181c572db0356fdfff5

SHA512
4f911a3a926f69c251e1a07c819806bc60bb37201197605a04f22ba226732160ab23756f7adfa70ab951b9d9a473374ee0e97077bf1221f25d1f013e3777b6fa

Download Submit
C:\Windows\system\WZocqjM.exe

Filesize
5.9MB

MD5
8cab518aba472be173af5d89d4c0b4bd

SHA1
f49267c7c326a892001043aa026ef1790cb6ea6d

SHA256
e478fe7e0c8c8e6bcb019daf51c3c7e564e9b6b4352343b2839f211797ceb627

SHA512
c5bf0dab10b9aa70b739e3aae117af8dd920504c2a283f0a75b9be4b4d62f0e6ca924bec9b8e68ac905c51236baa7dc2ad093b17169951f812d49aab44715679

Download Submit
C:\Windows\system\ixFQUBu.exe

Filesize
5.9MB

MD5
2505b7c0fbda446c62fcd8f86ec79503

SHA1
178576ecfff3819bbaf328ce218f05829807b38f

SHA256
18e2055e904c1db07a81ed676cf9eda2c9dad949439fdfeac9c6ada05ddf9c08

SHA512
cc1d5b966aa15d28be7636a07fef5acdc73a16a98522833b16ae083751d60c3d21ff7a2d8c382f88eec8cd3879568600563d41a96b0ab49a456c8ce3ccd9d83f

Download Submit
C:\Windows\system\kuUVRhp.exe

Filesize
5.9MB

MD5
66b0e2b18518a09a3ae3344d8f2e7402

SHA1
226263f0a43e5bcb1cf3824f62f1168dd3e1c2d2

SHA256
a6f26ac0a7d50780c6e65d10d59865176d462e8aabbe3554bd9af7c8841cf16c

SHA512
b7f3de24a47241e98aa85f9b1159386d0f89f62b1bc788c24d685b83db09cb9ca9fbdba9300b272c255c155ba076d747bdacf173eeeaad61213c16b7a246c7ed

Download Submit
C:\Windows\system\oquXnGD.exe

Filesize
5.9MB

MD5
9cacbf298caa65cc3950bf2efb398e3d

SHA1
b1c2d85b61ce8ff50052e33619379f488ee12b13

SHA256
e8bde0599db828f404ec275ace7e8c6346dc8dd5c86d7158da5cb96031daf1bb

SHA512
7835dc98421a034f799bd79b40d29b9a92c76f47e36b29048576b7bb0b90fbee16c48d6d92554182ee19c7cda73b9fea4f1409930663b96e85ac3ee8fe63832b

Download Submit
C:\Windows\system\uUkXdJi.exe

Filesize
5.9MB

MD5
7c14232ba30f2dd500067a915fea8ffb

SHA1
df44d1a8e8d58f6c0a98a66b7df78741b7a41fba

SHA256
de53073de0909bc1350cd620ea38a8e7fa1f2056b83c97f01d576978966b777e

SHA512
571acceff252102cda21826e1215701f58f7ba4c4c2151c12b7bbd009e31742c4b95fd52dc6289c9aabe7701261d7eb9ebfc762e82d70f8d8192d5ca53611808

Download Submit
C:\Windows\system\uuGLKwW.exe

Filesize
5.9MB

MD5
dc39fc9e67ff7acd5bc4fa9c02588faa

SHA1
7aa40f8c2c0030e338410da753bfd2f79c77564a

SHA256
f74fbc6886fe357457846716c8c250795f371faa192ec15684acbed6c0120f3b

SHA512
51a79b38df092d9b408d02038ad0f8168f74dddd8a28773cead482e81a3ed5e8e84bda803da6088eee2bdf887e296ca902c18d1cbf12ec1b202f07d5fa3899f7

Download Submit
C:\Windows\system\zZDFgnt.exe

Filesize
5.9MB

MD5
f3e5ac8a2bf997fb8c9e941083c686a6

SHA1
ed8ffd8a3ca258f33d33fc9da55a0e9b508bfd13

SHA256
689f3c4094f4df55b547e13d346a3c24bf207433ae7c288a85fa6facf4ebf81b

SHA512
d82e173dd2e7f16a8d930abaafa7d35c1da257447004e9f62cd8d2e7e93f82d155eb2ec3ab5212ec246a25d6387908cf96a60d8620543855b98570714d963a95

Download Submit
\Windows\system\GOsbyZi.exe

Filesize
5.9MB

MD5
0e0f784b19988beddd99b6aa28ecb9b8

SHA1
5947cf4b559ff5517fb6ae18b2dd22592a510bcb

SHA256
b2b0c8717da7053aa6a46cd9ec96b444e37241d2fafdcad8dfa5e21a369ab668

SHA512
40327b4e0e048b43b5f59f37ee219af5d21185909d46ec06fd223e3e47ac883f0a80c77baa00c06c105c1e4552cca7926c6914edf6b728b86433f8beffd1747a

Download Submit
\Windows\system\HchltEG.exe

Filesize
5.9MB

MD5
e25c9b35b24f075f5e56df6e8b8de55f

SHA1
da609d2f7fe1f5b413b97835456253c910f9b91b

SHA256
0ae9a1af343d3434cc4dcfa12df706f7618e01bc89f4e8f994f6aab87c69d444

SHA512
3f183cad3c27a2b6b71e304ca0927dd53236874786f59e0941368cf7c6836de4ac47d49a8c48e0a82a5f0a49914498560d6cbe4d079d16d6de6662eb5af1fe61

Download Submit
\Windows\system\Kjpndym.exe

Filesize
5.9MB

MD5
b8ced975fc2600a8b000068ba15556cd

SHA1
cad8cc42570d02666865ee932d7daa4599667c0f

SHA256
e58df761ffba247d580e884ec6e7b55957a2ac750cf0b1301c509384c3d8a36f

SHA512
1764e12c3935450b07019896577e125dfb40fbc8c80b0a399be1f4cd997bd735e29694a058eeed7b4c179228ae4a0bff964daa8401385e1029990f35a13bb986

Download Submit
\Windows\system\YRFXyDa.exe

Filesize
5.9MB

MD5
c75f7b9db6cccdf6bc9c2562f7c3ee67

SHA1
d6ed6050bb0f663afd235baa5c3b50b5e4baab0d

SHA256
b51e9b2029f07448e7d8896adf565beaff26d45fde4890ccb3a4fef2f3de3164

SHA512
c505dd11bec8f4029adefb4e79324a0969d002ba1362b1f4abbc552e79ecacabc99d33379187ffe472e1d0666446ba09c8f8a716221559e4997766c09bf646f4

Download Submit
\Windows\system\dnrXHlM.exe

Filesize
5.9MB

MD5
d8c8fa54f361a355c05b9105200658ba

SHA1
d04007d46ca83cdc625ef5c1e804176f153d06f1

SHA256
ac06c05d9916026ea072258e705eea9c396ebaab4d466207941bf3534af3e166

SHA512
43dda91662cf6eef7d53317d5ae84bb3b76e5685d62cb4856205cbbc807c8b5e3ad13a1b7eecbb2f0d2b89ecb34ece8d01c6ad848182964fb3efcd93d057eaae

Download Submit
\Windows\system\rOWDkGy.exe

Filesize
5.9MB

MD5
d10608ae36b15ea12b92af88c7ed830a

SHA1
280e280093591845e20f1c9a6d8c2bc5489e629b

SHA256
009c44b3f63cb31b190b118ffdb9c751d4beed11347e0df01148dbce7af7e69d

SHA512
9c60846d4e39ff4fad4bbb696b312a798afba2abb3bf651a63c8dd9072111170db3dcd7795e2566c654ee4205e81caf7a0614a96837b622ad7e566c099e6abb2

Download Submit
\Windows\system\uNBiqPS.exe

Filesize
5.9MB

MD5
0236d3dfe7bff5a59cfd37fb41a729e0

SHA1
e8d2694fe9672df52e13c1bcc8c0ef3e44dad627

SHA256
70d78042c14c96fc9e308b346c9540c2f0059d67f581800d3a08f608375b793a

SHA512
b14b4b471fe6ba8d488d64a96dd56e1530f6be5aeb03f8316abad0737a8fb6692a30b8d3d68fe24b7ffc9ce99dbcb7a8f846c6aa14e240f8794b01bc73923725

Download Submit
\Windows\system\uOLsMMO.exe

Filesize
5.9MB

MD5
77727a572762f1f7fd0be924089a6e7d

SHA1
0d7a21bc2df008818d7af764244d170e598b2294

SHA256
ed7c1653bb53aba2d5ecf0b1b85260353e0879e4e10a946e32cb280cf5fb9ae7

SHA512
4794656074f56b49ffa7d226c568fe295f42fdebaec78c0ec13e9cd4944b6b27a2c5f1e8e2e5d0af466247feb709a481697f94d18fd1a4646d2cdc07e405e1ab

Download Submit
memory/364-96-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/364-142-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/364-153-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/1896-12-0x000000013F8F0000-0x000000013FC44000-memory.dmp

Filesize
3.3MB

Download
memory/1896-144-0x000000013F8F0000-0x000000013FC44000-memory.dmp

Filesize
3.3MB

Download
memory/2000-20-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2000-135-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2000-146-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2072-80-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2072-104-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/2072-98-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/2072-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2072-0-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2072-106-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/2072-21-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2072-107-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2072-70-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2072-62-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/2072-61-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2072-108-0x000000013FF00000-0x0000000140254000-memory.dmp

Filesize
3.3MB

Download
memory/2072-51-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/2072-55-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/2072-22-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2072-136-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/2072-40-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2072-27-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/2072-133-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2088-138-0x000000013F510000-0x000000013F864000-memory.dmp

Filesize
3.3MB

Download
memory/2088-149-0x000000013F510000-0x000000013F864000-memory.dmp

Filesize
3.3MB

Download
memory/2088-56-0x000000013F510000-0x000000013F864000-memory.dmp

Filesize
3.3MB

Download
memory/2116-134-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2116-18-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2116-145-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2344-151-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2344-81-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2344-143-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2372-72-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2372-139-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2372-150-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2456-48-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2456-148-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2504-140-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2504-154-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2504-66-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2764-89-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/2764-141-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/2764-152-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/2832-137-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2832-147-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2832-28-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download