cobaltstrike | a0602c42a960a1b22c7f3c678fb3d6180ca54ed9f6945824e2cb4421c2b1b0be

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-06-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

7ad40ad09fc1e6b3d23a3e62eb441264
SHA1

4d557bef036b8d0551c07595f84dc64396ccf462
SHA256

a0602c42a960a1b22c7f3c678fb3d6180ca54ed9f6945824e2cb4421c2b1b0be
SHA512

241e40798b8606858b6dd6f88cddc8fd76c6a29c7b2dd300d36142af43bbd48ed453a361a9b52bed2aeebc0fe7b4e347b8f812353743f244fccf60ae8096c7cc
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lS:RWWBibf56utgpPFotBER/mQ32lUG

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000e000000015a98-6.dat	cobalt_reflective_dll
behavioral1/files/0x002a000000015c3c-11.dat	cobalt_reflective_dll
behavioral1/files/0x0029000000015c52-15.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018d06-98.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018ba2-101.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b96-92.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b6a-85.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b37-77.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b42-76.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b33-69.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018ae2-61.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000167db-55.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000192c9-106.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b73-91.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015c87-32.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d88-28.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b4a-83.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018ae8-66.dat	cobalt_reflective_dll
behavioral1/files/0x0010000000015c5d-59.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015db4-38.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cb9-27.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000e000000015a98-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002a000000015c3c-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0029000000015c52-15.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018d06-98.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018ba2-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b96-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b6a-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b37-77.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b42-76.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b33-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018ae2-61.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00080000000167db-55.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00050000000192c9-106.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b73-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015c87-32.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d88-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018b4a-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000018ae8-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0010000000015c5d-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015db4-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cb9-27.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 59 IoCs

resource	yara_rule
behavioral1/memory/1708-0-0x000000013F110000-0x000000013F461000-memory.dmp	UPX
behavioral1/files/0x000e000000015a98-6.dat	UPX
behavioral1/files/0x002a000000015c3c-11.dat	UPX
behavioral1/files/0x0029000000015c52-15.dat	UPX
behavioral1/memory/2560-47-0x000000013FA00000-0x000000013FD51000-memory.dmp	UPX
behavioral1/memory/2856-31-0x000000013F980000-0x000000013FCD1000-memory.dmp	UPX
behavioral1/files/0x0006000000018d06-98.dat	UPX
behavioral1/memory/2428-102-0x000000013FEF0000-0x0000000140241000-memory.dmp	UPX
behavioral1/files/0x0006000000018ba2-101.dat	UPX
behavioral1/files/0x0006000000018b96-92.dat	UPX
behavioral1/files/0x0006000000018b6a-85.dat	UPX
behavioral1/files/0x0006000000018b37-77.dat	UPX
behavioral1/files/0x0006000000018b42-76.dat	UPX
behavioral1/files/0x0006000000018b33-69.dat	UPX
behavioral1/files/0x0006000000018ae2-61.dat	UPX
behavioral1/files/0x00080000000167db-55.dat	UPX
behavioral1/memory/2520-53-0x000000013F410000-0x000000013F761000-memory.dmp	UPX
behavioral1/memory/792-116-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	UPX
behavioral1/memory/1484-114-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
behavioral1/memory/2788-110-0x000000013FDA0000-0x00000001400F1000-memory.dmp	UPX
behavioral1/memory/2416-107-0x000000013FCD0000-0x0000000140021000-memory.dmp	UPX
behavioral1/files/0x00050000000192c9-106.dat	UPX
behavioral1/files/0x0006000000018b73-91.dat	UPX
behavioral1/files/0x0008000000015c87-32.dat	UPX
behavioral1/files/0x0007000000015d88-28.dat	UPX
behavioral1/memory/3016-21-0x000000013F090000-0x000000013F3E1000-memory.dmp	UPX
behavioral1/memory/1708-135-0x000000013F110000-0x000000013F461000-memory.dmp	UPX
behavioral1/files/0x0006000000018b4a-83.dat	UPX
behavioral1/files/0x0006000000018ae8-66.dat	UPX
behavioral1/files/0x0010000000015c5d-59.dat	UPX
behavioral1/memory/2516-45-0x000000013FB30000-0x000000013FE81000-memory.dmp	UPX
behavioral1/memory/2580-44-0x000000013FC00000-0x000000013FF51000-memory.dmp	UPX
behavioral1/memory/772-147-0x000000013F850000-0x000000013FBA1000-memory.dmp	UPX
behavioral1/memory/1872-145-0x000000013F740000-0x000000013FA91000-memory.dmp	UPX
behavioral1/files/0x0007000000015db4-38.dat	UPX
behavioral1/files/0x0007000000015cb9-27.dat	UPX
behavioral1/memory/2860-25-0x000000013F140000-0x000000013F491000-memory.dmp	UPX
behavioral1/memory/2608-153-0x000000013F470000-0x000000013F7C1000-memory.dmp	UPX
behavioral1/memory/2148-156-0x000000013FCA0000-0x000000013FFF1000-memory.dmp	UPX
behavioral1/memory/2696-155-0x000000013F930000-0x000000013FC81000-memory.dmp	UPX
behavioral1/memory/2680-154-0x000000013F2C0000-0x000000013F611000-memory.dmp	UPX
behavioral1/memory/1196-152-0x000000013F300000-0x000000013F651000-memory.dmp	UPX
behavioral1/memory/1856-151-0x000000013F6E0000-0x000000013FA31000-memory.dmp	UPX
behavioral1/memory/792-150-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	UPX
behavioral1/memory/588-149-0x000000013F2C0000-0x000000013F611000-memory.dmp	UPX
behavioral1/memory/1708-157-0x000000013F110000-0x000000013F461000-memory.dmp	UPX
behavioral1/memory/1708-166-0x000000013F110000-0x000000013F461000-memory.dmp	UPX
behavioral1/memory/3016-212-0x000000013F090000-0x000000013F3E1000-memory.dmp	UPX
behavioral1/memory/2856-216-0x000000013F980000-0x000000013FCD1000-memory.dmp	UPX
behavioral1/memory/2860-215-0x000000013F140000-0x000000013F491000-memory.dmp	UPX
behavioral1/memory/2580-218-0x000000013FC00000-0x000000013FF51000-memory.dmp	UPX
behavioral1/memory/2560-221-0x000000013FA00000-0x000000013FD51000-memory.dmp	UPX
behavioral1/memory/2516-222-0x000000013FB30000-0x000000013FE81000-memory.dmp	UPX
behavioral1/memory/2520-224-0x000000013F410000-0x000000013F761000-memory.dmp	UPX
behavioral1/memory/2788-230-0x000000013FDA0000-0x00000001400F1000-memory.dmp	UPX
behavioral1/memory/1484-232-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
behavioral1/memory/2416-229-0x000000013FCD0000-0x0000000140021000-memory.dmp	UPX
behavioral1/memory/2428-226-0x000000013FEF0000-0x0000000140241000-memory.dmp	UPX
behavioral1/memory/792-237-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	UPX

XMRig Miner payload 38 IoCs

miner

resource	yara_rule
behavioral1/memory/2560-47-0x000000013FA00000-0x000000013FD51000-memory.dmp	xmrig
behavioral1/memory/2856-31-0x000000013F980000-0x000000013FCD1000-memory.dmp	xmrig
behavioral1/memory/1708-54-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/2428-102-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/2520-53-0x000000013F410000-0x000000013F761000-memory.dmp	xmrig
behavioral1/memory/1484-114-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/2788-110-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2416-107-0x000000013FCD0000-0x0000000140021000-memory.dmp	xmrig
behavioral1/memory/3016-21-0x000000013F090000-0x000000013F3E1000-memory.dmp	xmrig
behavioral1/memory/1708-135-0x000000013F110000-0x000000013F461000-memory.dmp	xmrig
behavioral1/memory/1708-46-0x000000013FA00000-0x000000013FD51000-memory.dmp	xmrig
behavioral1/memory/2516-45-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2580-44-0x000000013FC00000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/772-147-0x000000013F850000-0x000000013FBA1000-memory.dmp	xmrig
behavioral1/memory/1872-145-0x000000013F740000-0x000000013FA91000-memory.dmp	xmrig
behavioral1/memory/2860-25-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2608-153-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/2148-156-0x000000013FCA0000-0x000000013FFF1000-memory.dmp	xmrig
behavioral1/memory/2696-155-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/2680-154-0x000000013F2C0000-0x000000013F611000-memory.dmp	xmrig
behavioral1/memory/1196-152-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/1856-151-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/792-150-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	xmrig
behavioral1/memory/588-149-0x000000013F2C0000-0x000000013F611000-memory.dmp	xmrig
behavioral1/memory/1708-157-0x000000013F110000-0x000000013F461000-memory.dmp	xmrig
behavioral1/memory/1708-166-0x000000013F110000-0x000000013F461000-memory.dmp	xmrig
behavioral1/memory/3016-212-0x000000013F090000-0x000000013F3E1000-memory.dmp	xmrig
behavioral1/memory/2856-216-0x000000013F980000-0x000000013FCD1000-memory.dmp	xmrig
behavioral1/memory/2860-215-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2580-218-0x000000013FC00000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/2560-221-0x000000013FA00000-0x000000013FD51000-memory.dmp	xmrig
behavioral1/memory/2516-222-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2520-224-0x000000013F410000-0x000000013F761000-memory.dmp	xmrig
behavioral1/memory/2788-230-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/1484-232-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/2416-229-0x000000013FCD0000-0x0000000140021000-memory.dmp	xmrig
behavioral1/memory/2428-226-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/792-237-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3016	moTwVrH.exe
2860	eWrNDxm.exe
2856	jdtwqLX.exe
2580	ITIuLzG.exe
2516	GwDiswM.exe
2560	FtBaSvW.exe
2520	hJJhgpC.exe
2428	gLAebOt.exe
2416	LWMEYHe.exe
2788	MzpzGYi.exe
1484	hcjcYwW.exe
792	MPujKkn.exe
1196	ERnhdYy.exe
2680	NWRsVIw.exe
2148	pacLDib.exe
1872	OSsBuTF.exe
772	pUvrebN.exe
588	VnkwTcn.exe
1856	AMwKOJi.exe
2608	QrQJcNE.exe
2696	tZtsfpH.exe

Loads dropped DLL 21 IoCs

pid	Process
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1708-0-0x000000013F110000-0x000000013F461000-memory.dmp	upx
behavioral1/files/0x000e000000015a98-6.dat	upx
behavioral1/files/0x002a000000015c3c-11.dat	upx
behavioral1/files/0x0029000000015c52-15.dat	upx
behavioral1/memory/2560-47-0x000000013FA00000-0x000000013FD51000-memory.dmp	upx
behavioral1/memory/2856-31-0x000000013F980000-0x000000013FCD1000-memory.dmp	upx
behavioral1/files/0x0006000000018d06-98.dat	upx
behavioral1/memory/2428-102-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
behavioral1/files/0x0006000000018ba2-101.dat	upx
behavioral1/files/0x0006000000018b96-92.dat	upx
behavioral1/files/0x0006000000018b6a-85.dat	upx
behavioral1/files/0x0006000000018b37-77.dat	upx
behavioral1/files/0x0006000000018b42-76.dat	upx
behavioral1/files/0x0006000000018b33-69.dat	upx
behavioral1/files/0x0006000000018ae2-61.dat	upx
behavioral1/files/0x00080000000167db-55.dat	upx
behavioral1/memory/2520-53-0x000000013F410000-0x000000013F761000-memory.dmp	upx
behavioral1/memory/792-116-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx
behavioral1/memory/1484-114-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/2788-110-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/2416-107-0x000000013FCD0000-0x0000000140021000-memory.dmp	upx
behavioral1/files/0x00050000000192c9-106.dat	upx
behavioral1/files/0x0006000000018b73-91.dat	upx
behavioral1/files/0x0008000000015c87-32.dat	upx
behavioral1/files/0x0007000000015d88-28.dat	upx
behavioral1/memory/3016-21-0x000000013F090000-0x000000013F3E1000-memory.dmp	upx
behavioral1/memory/1708-135-0x000000013F110000-0x000000013F461000-memory.dmp	upx
behavioral1/files/0x0006000000018b4a-83.dat	upx
behavioral1/files/0x0006000000018ae8-66.dat	upx
behavioral1/files/0x0010000000015c5d-59.dat	upx
behavioral1/memory/2516-45-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2580-44-0x000000013FC00000-0x000000013FF51000-memory.dmp	upx
behavioral1/memory/772-147-0x000000013F850000-0x000000013FBA1000-memory.dmp	upx
behavioral1/memory/1872-145-0x000000013F740000-0x000000013FA91000-memory.dmp	upx
behavioral1/files/0x0007000000015db4-38.dat	upx
behavioral1/files/0x0007000000015cb9-27.dat	upx
behavioral1/memory/2860-25-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/2608-153-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
behavioral1/memory/2148-156-0x000000013FCA0000-0x000000013FFF1000-memory.dmp	upx
behavioral1/memory/2696-155-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
behavioral1/memory/2680-154-0x000000013F2C0000-0x000000013F611000-memory.dmp	upx
behavioral1/memory/1196-152-0x000000013F300000-0x000000013F651000-memory.dmp	upx
behavioral1/memory/1856-151-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/792-150-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx
behavioral1/memory/588-149-0x000000013F2C0000-0x000000013F611000-memory.dmp	upx
behavioral1/memory/1708-157-0x000000013F110000-0x000000013F461000-memory.dmp	upx
behavioral1/memory/1708-166-0x000000013F110000-0x000000013F461000-memory.dmp	upx
behavioral1/memory/3016-212-0x000000013F090000-0x000000013F3E1000-memory.dmp	upx
behavioral1/memory/2856-216-0x000000013F980000-0x000000013FCD1000-memory.dmp	upx
behavioral1/memory/2860-215-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/2580-218-0x000000013FC00000-0x000000013FF51000-memory.dmp	upx
behavioral1/memory/2560-221-0x000000013FA00000-0x000000013FD51000-memory.dmp	upx
behavioral1/memory/2516-222-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2520-224-0x000000013F410000-0x000000013F761000-memory.dmp	upx
behavioral1/memory/2788-230-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/1484-232-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/2416-229-0x000000013FCD0000-0x0000000140021000-memory.dmp	upx
behavioral1/memory/2428-226-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
behavioral1/memory/792-237-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\pacLDib.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eWrNDxm.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pUvrebN.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AMwKOJi.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hJJhgpC.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FtBaSvW.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LWMEYHe.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hcjcYwW.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VnkwTcn.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\moTwVrH.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jdtwqLX.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GwDiswM.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MPujKkn.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ERnhdYy.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gLAebOt.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QrQJcNE.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tZtsfpH.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NWRsVIw.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ITIuLzG.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OSsBuTF.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MzpzGYi.exe	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 3016	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	29
PID 1708 wrote to memory of 3016	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	29
PID 1708 wrote to memory of 3016	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	29
PID 1708 wrote to memory of 2860	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	30
PID 1708 wrote to memory of 2860	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	30
PID 1708 wrote to memory of 2860	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	30
PID 1708 wrote to memory of 2856	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	31
PID 1708 wrote to memory of 2856	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	31
PID 1708 wrote to memory of 2856	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	31
PID 1708 wrote to memory of 2516	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	32
PID 1708 wrote to memory of 2516	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	32
PID 1708 wrote to memory of 2516	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	32
PID 1708 wrote to memory of 2580	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	33
PID 1708 wrote to memory of 2580	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	33
PID 1708 wrote to memory of 2580	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	33
PID 1708 wrote to memory of 2520	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	34
PID 1708 wrote to memory of 2520	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	34
PID 1708 wrote to memory of 2520	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	34
PID 1708 wrote to memory of 2560	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	35
PID 1708 wrote to memory of 2560	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	35
PID 1708 wrote to memory of 2560	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	35
PID 1708 wrote to memory of 2428	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	36
PID 1708 wrote to memory of 2428	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	36
PID 1708 wrote to memory of 2428	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	36
PID 1708 wrote to memory of 2416	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	37
PID 1708 wrote to memory of 2416	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	37
PID 1708 wrote to memory of 2416	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	37
PID 1708 wrote to memory of 1872	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	38
PID 1708 wrote to memory of 1872	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	38
PID 1708 wrote to memory of 1872	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	38
PID 1708 wrote to memory of 2788	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	39
PID 1708 wrote to memory of 2788	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	39
PID 1708 wrote to memory of 2788	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	39
PID 1708 wrote to memory of 772	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	40
PID 1708 wrote to memory of 772	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	40
PID 1708 wrote to memory of 772	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	40
PID 1708 wrote to memory of 1484	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	41
PID 1708 wrote to memory of 1484	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	41
PID 1708 wrote to memory of 1484	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	41
PID 1708 wrote to memory of 588	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	42
PID 1708 wrote to memory of 588	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	42
PID 1708 wrote to memory of 588	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	42
PID 1708 wrote to memory of 792	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	43
PID 1708 wrote to memory of 792	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	43
PID 1708 wrote to memory of 792	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	43
PID 1708 wrote to memory of 1856	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	44
PID 1708 wrote to memory of 1856	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	44
PID 1708 wrote to memory of 1856	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	44
PID 1708 wrote to memory of 1196	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	45
PID 1708 wrote to memory of 1196	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	45
PID 1708 wrote to memory of 1196	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	45
PID 1708 wrote to memory of 2608	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	46
PID 1708 wrote to memory of 2608	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	46
PID 1708 wrote to memory of 2608	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	46
PID 1708 wrote to memory of 2680	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	47
PID 1708 wrote to memory of 2680	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	47
PID 1708 wrote to memory of 2680	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	47
PID 1708 wrote to memory of 2696	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	48
PID 1708 wrote to memory of 2696	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	48
PID 1708 wrote to memory of 2696	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	48
PID 1708 wrote to memory of 2148	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	49
PID 1708 wrote to memory of 2148	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	49
PID 1708 wrote to memory of 2148	1708	2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_7ad40ad09fc1e6b3d23a3e62eb441264_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\System\moTwVrH.exe
  C:\Windows\System\moTwVrH.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\eWrNDxm.exe
  C:\Windows\System\eWrNDxm.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\jdtwqLX.exe
  C:\Windows\System\jdtwqLX.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\GwDiswM.exe
  C:\Windows\System\GwDiswM.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\ITIuLzG.exe
  C:\Windows\System\ITIuLzG.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\hJJhgpC.exe
  C:\Windows\System\hJJhgpC.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\FtBaSvW.exe
  C:\Windows\System\FtBaSvW.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\gLAebOt.exe
  C:\Windows\System\gLAebOt.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\LWMEYHe.exe
  C:\Windows\System\LWMEYHe.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\OSsBuTF.exe
  C:\Windows\System\OSsBuTF.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\MzpzGYi.exe
  C:\Windows\System\MzpzGYi.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\pUvrebN.exe
  C:\Windows\System\pUvrebN.exe
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\System\hcjcYwW.exe
  C:\Windows\System\hcjcYwW.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\VnkwTcn.exe
  C:\Windows\System\VnkwTcn.exe
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\System\MPujKkn.exe
  C:\Windows\System\MPujKkn.exe
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\System\AMwKOJi.exe
  C:\Windows\System\AMwKOJi.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System\ERnhdYy.exe
  C:\Windows\System\ERnhdYy.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\QrQJcNE.exe
  C:\Windows\System\QrQJcNE.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\NWRsVIw.exe
  C:\Windows\System\NWRsVIw.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\tZtsfpH.exe
  C:\Windows\System\tZtsfpH.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\pacLDib.exe
  C:\Windows\System\pacLDib.exe
  2⤵
  - Executes dropped EXE
  PID:2148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\ERnhdYy.exe

Filesize
5.2MB

MD5
cea92a8c8eb183d39d74576dbc063716

SHA1
de5d4ec6d5bdbc8b7e42a6beee131640c73d61d0

SHA256
25077acad27992d4f7be95f3e671b4a6052858529c47c31514ec72e0731d5636

SHA512
41c751cf5b2b3003c6c6b412b3ef256614ae8d519209b0b62f092682bd250dc131f5ac2d5ffcbed6152f03440c3bd0693c489d6b238e7bfaf3e2bf3f72a96a79

Download Submit
C:\Windows\system\FtBaSvW.exe

Filesize
5.2MB

MD5
6b099f42e5f75213e7622ff8df96c8e7

SHA1
74278d402248377d6fc270fcb3a6d4141ba7ed3a

SHA256
ede27e772210fc7793508e6b06e333fb8808f90790a026ca9806b6ecfda14b90

SHA512
a76e622ac2c9551123a8a43c87749c61eeb4cc74bd6a409b091cc47a1a5b3ecef24338026a2573493e0e0a42ed5f76d270cecb8ca789d4a58c634d2c3c2b3169

Download Submit
C:\Windows\system\GwDiswM.exe

Filesize
5.2MB

MD5
43def7cee0a814ccf488052674fab678

SHA1
e6b85cdd5ec3b2f446bfdb622498277706abc431

SHA256
93961aeab8cd75d52760eccd189d4aa4dca168e159c3d83943d245353495ded9

SHA512
68472a4421d56f8d629ffdfc6e2f7f2f82cb81c8b31609885765aed2baab23f8d17f365e5873d7fbb026ead5dd919a746ba4b933d1656efa87f872bd1a5f3607

Download Submit
C:\Windows\system\ITIuLzG.exe

Filesize
5.2MB

MD5
7cc01b01c25d202f2291e2a7d5966e82

SHA1
b9ee8ebd41f0766e30c46e75d1bb58b7dd7a4333

SHA256
42ec823999f794634122e4d45d2bffc508a2d540e4ea8709cbc7d5c8ccf77551

SHA512
51c6da47201d5cd41e29c83a075c5e0d7256c613a359eb1f59c42fbc3a5886d7297c59e354643c4b0f768514c89cc5b22877b01f5fc99cad4dfaf5d743ea58da

Download Submit
C:\Windows\system\LWMEYHe.exe

Filesize
5.2MB

MD5
ea26afdcd64d1260ae41e6bc601922b1

SHA1
55d817988e66795cc071839ccd667ae612e12589

SHA256
555eeb92c79fdcc0d633ed5c3fb2d7aadc76dee97ddc97a12dc0e6c28fdf2dc1

SHA512
aa49f18ed12de58bd2bc81a57bf0ce36064125cdce93ed49ec7d25ca86b351b57b492883d3029cf94c2156b837923e5d4ce6ea3cedda29562936ec80b06a79eb

Download Submit
C:\Windows\system\MPujKkn.exe

Filesize
5.2MB

MD5
be3ff993a2b5b352ce7f2532df736463

SHA1
5b15ce1e24fa3039bf8197c2f8b46e1d25494f66

SHA256
33296fb40e70a6d9ae46de53cf022941e98afe978bd166dd527453c7f112dd78

SHA512
f0b654598a090fb48d409d63f858a01e51bca82bd47e4676524547bfc8a280804a1311d20b2365f0b00d4f74d6f74afd36ff6db6929bfa72de9a45904f00665b

Download Submit
C:\Windows\system\MzpzGYi.exe

Filesize
5.2MB

MD5
c2126a39d5530cf072dad1b5fc17cdf8

SHA1
7eac2690364bae114aa3d60b7fa95a334c739ad3

SHA256
806a7b84cbe49e564cbbcca115cbf9296c4f4c5324a2648f246134d6a232fc58

SHA512
c5efb29896d61f0b6a9f4025c95bd08b54a141821c265b7684f066139b483720fa7331f2e2e6e7ece3820e626cfb2dfa2aa75116ebfc9af360a0e59f83eb3c15

Download Submit
C:\Windows\system\NWRsVIw.exe

Filesize
5.2MB

MD5
cf8f95a4a6f5b8eabc1b34b2b65f2791

SHA1
66466066846745b2f9fcc330f5e50c9c93d2f482

SHA256
f2c69713ab04a810fa00cf03cd671e1a2ab2eb580d078771663eaebab73008f1

SHA512
6ed9fbc9236b0ba2a8f2b763b563646b54e748f99c9c8ecf7efef9c6c890967d98f6bb833a779254807af61f456b87f83288e30e88e58f81e9ed827495413679

Download Submit
C:\Windows\system\eWrNDxm.exe

Filesize
5.2MB

MD5
2424719f0fc906a0ccb18f3885d43c22

SHA1
09d5f20107236d48d168a80f9a389120a3176c62

SHA256
345bdcd46a87a1a42b09a630abb0ffd47021ede1a96f651571a5108f11c75207

SHA512
3e8c700d5d95f0ec82f2d0ea10420bbab151584134d6cde43ce56fc34d61b523bf054677326ac9a777df7c7dfa4f0d2728937fd559a506c7b29a591304c188df

Download Submit
C:\Windows\system\gLAebOt.exe

Filesize
5.2MB

MD5
28be99bc5963b32012ed9fb244e06fa5

SHA1
43d3657fc8dd05e34f29542d3d071f2c6f8d1e57

SHA256
3d4b6d3160be4ad86f24cb42f376f2eea2200d74c1bfcf9e1c18e364ebbb5bab

SHA512
2aab6737c12265da914649b1807637d0e5d982bb1c5f3e201669413c4e8fd4f5c9d172f04282399d00c3e9adfc84d8bb7ab462b9911412d7f3c78c8df15fd48d

Download Submit
C:\Windows\system\hcjcYwW.exe

Filesize
5.2MB

MD5
79f20540bbc927993c9f7e52542665bc

SHA1
7adc34d4571166c754004d8818d7a450f41231d7

SHA256
c973b0d46b974933ee3aad8931747cc73ca2b214227b025781cef2df0cdc6103

SHA512
a4ec2f1bee84d593873baf50de7918528989c2c45497ec3e8d52add94144549f475341a191024201b3364a3a2ad32fbd86f96672e1b673347c5d80aa590f5219

Download Submit
C:\Windows\system\jdtwqLX.exe

Filesize
5.2MB

MD5
17d3da06974f836b1bea48732250dbde

SHA1
bac48c70029c49bdb94e61151fe5604dfc536162

SHA256
cc296bbd6523c0e5e315fad3c67621f6cbe70725be696fb9a047aee1c465742f

SHA512
dfde0e8c3ed75aadbf5e166437b7aa72c67bfd96bccf357573216119d3e55e0ea8924c22630432d7992551ea1fe5b601d49ace356a7e3d43d17dc7135b23e44e

Download Submit
C:\Windows\system\moTwVrH.exe

Filesize
5.2MB

MD5
7f75eb9a7c8906ca763256a16e7403f6

SHA1
03707ad8ee400b69209d6e08190b53b40049bdf0

SHA256
dfd5930271d3886b08d9adf98d8f9dc121e4f5763c81d43d713e5c67327db608

SHA512
0746980366de9c2dc4e8695c94e84844ba50932ceb3524d3d466e7dec6ccf481f3291ee99fdc8fa014973fb4acb9c43391a1eb451ed1df35f1c27cefa6adf6b0

Download Submit
C:\Windows\system\pacLDib.exe

Filesize
5.2MB

MD5
f5ad2b836709b6ce19f2eef46bfa020e

SHA1
7d43b37a8bc7491fe3273fbd42f0542db825ba72

SHA256
41f168a023d2e9e85bd21d6470c8cbea3523d693c7ad75487d231c84952eddef

SHA512
9f5e099f3257dc302dfbb54eca003105d223fa85f136db902b67648b42258b82323e8788345aa8cb4fb0d9352abb85790a3e06e240cd48c20af220a5399565d6

Download Submit
\Windows\system\AMwKOJi.exe

Filesize
5.2MB

MD5
01f353b14e47c9b5ab6c9a80b339d5af

SHA1
691cf0c52a95c1ae8d783146679a6463baca85c0

SHA256
b21d55cc9c5a30b4127fe65a3217450384b2b436ed0ca6ae4bcb1e1027c46b2d

SHA512
4eb4f7a8ed1d7cfea013f9d1f21d18becaa6f920308d7489a5d43d7a37b4aa9c1127f6c3ec87468082b7ebd62b535aafa694eb6a2584bc6caa20dd1c2b65f631

Download Submit
\Windows\system\OSsBuTF.exe

Filesize
5.2MB

MD5
698a6b71645f7f581cd24a03c2d75b72

SHA1
46b4d4b05ef8e763986d5714efb8aa9f73765fa2

SHA256
e5b76bc30eff7cb955d18bfd258828da1d65696f9c815fb28a96f6aace9039e5

SHA512
54d90133e90503265220c8c84cc1ad44ac0f4fc38087f3082c77043ecf8d126c5337569f34e8bcaa48692bdf6237af22f6e34d137b2326dce8767091af6332bb

Download Submit
\Windows\system\QrQJcNE.exe

Filesize
5.2MB

MD5
4e8c49ccd4f22d28fb8916c3be6f0d63

SHA1
29ef031e40c64a260644a84320843df8efb92cc5

SHA256
379d1442e376152313c109689599fa4979a5e7a46d55f1690f03a67ee5f311f0

SHA512
c864cd886d0c9b397e1268863e4c81e0f2ad8f6c5af96998bd2f15df72664a67999d48a77660aa2f8adef7a461e61a118127fc4d61aa455b6f5d7719d342d2b3

Download Submit
\Windows\system\VnkwTcn.exe

Filesize
5.2MB

MD5
31f05ec8caba8ccbf70f00fc999c8796

SHA1
9656219cea1e43ee99d7094e718f9c6aa60e46da

SHA256
edb0607a48e5c4c2c996fcbeb55368fd8ec8d059784b4caec4922bb5a922e9ea

SHA512
5ec7157993f2e748e22da15d4144787a1a126215dbb3407d8e77eafbb634bc638c10ead808c90b621e1156740397959bedc8a7c6ccfc26bfd166b4ce424672f4

Download Submit
\Windows\system\hJJhgpC.exe

Filesize
5.2MB

MD5
550177bdc7f9d5bc292beab71e528376

SHA1
af5042d4eaa34d4bf9c9dd0fd392aff52349f284

SHA256
f706e82b90a337b37085c6d468fee33c6db00487648304e73663ed2ea86d4b49

SHA512
3dff85f01b7af8fd70b66d67e20bf4149566c8d7adfbec98c038f8ae77a9ee1a42158aefed5f005d82ecb031bccf164399744d968f333958eed129454d44230b

Download Submit
\Windows\system\pUvrebN.exe

Filesize
5.2MB

MD5
2f9e94f6e426c4cd820f27777a9008eb

SHA1
e93551c24233d84b079122b560449850d1d30825

SHA256
e5194483db51a1a7d8c886b700aa9846163019ce88079a95557c85880a7424e2

SHA512
eb4e77da0b0d1fe27ef849b92e70e69c8d904e0ab897bd5f6d71223554b5840f59b5bcbf7522e83d7941a6ea0f44d375a61e17c8f8e1a9672c26fafcd714bae4

Download Submit
\Windows\system\tZtsfpH.exe

Filesize
5.2MB

MD5
63462ba367b8c5692425b88884b8fd4e

SHA1
9abecae968f8aa41ef5ad2a59dbc702fba5ba5bb

SHA256
0242332639ae94edd65cd9783cc55464ccd9b34e89d546c16a1f01b146afa61f

SHA512
3f01d7a91312a7a33f53af1cd457a000715970000b8febba01371cac51820c19f22d5a09c4d067dddd532efb1a6b6a90de8f6357fdede5e3fe47233bd9fbb768

Download Submit
memory/588-149-0x000000013F2C0000-0x000000013F611000-memory.dmp

Filesize
3.3MB

Download
memory/772-147-0x000000013F850000-0x000000013FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/792-150-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/792-116-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/792-237-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/1196-152-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/1484-114-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/1484-232-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/1708-135-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/1708-26-0x000000013F980000-0x000000013FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-108-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/1708-105-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/1708-109-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-33-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/1708-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1708-111-0x000000013F850000-0x000000013FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-180-0x0000000002210000-0x0000000002561000-memory.dmp

Filesize
3.3MB

Download
memory/1708-0-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/1708-112-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/1708-113-0x0000000002210000-0x0000000002561000-memory.dmp

Filesize
3.3MB

Download
memory/1708-115-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-46-0x000000013FA00000-0x000000013FD51000-memory.dmp

Filesize
3.3MB

Download
memory/1708-166-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/1708-157-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/1708-117-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/1708-54-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/1708-43-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/1708-42-0x0000000002210000-0x0000000002561000-memory.dmp

Filesize
3.3MB

Download
memory/1708-39-0x0000000002210000-0x0000000002561000-memory.dmp

Filesize
3.3MB

Download
memory/1708-118-0x0000000002210000-0x0000000002561000-memory.dmp

Filesize
3.3MB

Download
memory/1856-151-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/1872-145-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/2148-156-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

Filesize
3.3MB

Download
memory/2416-107-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/2416-229-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/2428-226-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2428-102-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2516-45-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2516-222-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2520-224-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2520-53-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2560-221-0x000000013FA00000-0x000000013FD51000-memory.dmp

Filesize
3.3MB

Download
memory/2560-47-0x000000013FA00000-0x000000013FD51000-memory.dmp

Filesize
3.3MB

Download
memory/2580-44-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/2580-218-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/2608-153-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2680-154-0x000000013F2C0000-0x000000013F611000-memory.dmp

Filesize
3.3MB

Download
memory/2696-155-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2788-110-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-230-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-216-0x000000013F980000-0x000000013FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-31-0x000000013F980000-0x000000013FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2860-215-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2860-25-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/3016-212-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-21-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download