cobaltstrike | dfb4b03959f53ed0ec7ec7d3dcb85bf67317359d5d3203fe0632d26405fbb80d

Analysis

max time kernel
134s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

a608d83e6d1c6abb586c918ebc3fd3cf
SHA1

7acefd0485c6838cab257bd39c7f67bc9e4af7c3
SHA256

dfb4b03959f53ed0ec7ec7d3dcb85bf67317359d5d3203fe0632d26405fbb80d
SHA512

f4c224ddbefdf414a4af5642c90946af6b2414dc19f1229f61d9a74a2ac1eecfecbd97676fd8bca683417ffb4f534a503e5c6c1c2f06fed406f9f43a3470931c
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUz:Q+856utgpPF8u/7z

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000012257-6.dat	cobalt_reflective_dll
behavioral1/files/0x000c00000001340b-10.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d87-14.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d8f-18.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015e3a-26.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015eaf-30.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f6d-36.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015fe9-41.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d1e-50.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016da7-71.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016eb2-95.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017052-100.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173d5-111.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016e94-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dbf-85.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dbb-80.dat	cobalt_reflective_dll
behavioral1/files/0x0031000000015d67-75.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d90-65.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d7e-60.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3a-55.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016117-46.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012257-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000c00000001340b-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015d87-14.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015d8f-18.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015e3a-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015eaf-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015f6d-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015fe9-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000016d1e-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016da7-71.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016eb2-95.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000017052-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000173d5-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016e94-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016dbf-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016dbb-80.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0031000000015d67-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d90-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d7e-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d3a-55.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000016117-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 51 IoCs

resource	yara_rule
behavioral1/memory/2000-0-0x000000013F3B0000-0x000000013F704000-memory.dmp	UPX
behavioral1/files/0x000b000000012257-6.dat	UPX
behavioral1/files/0x000c00000001340b-10.dat	UPX
behavioral1/files/0x0008000000015d87-14.dat	UPX
behavioral1/files/0x0008000000015d8f-18.dat	UPX
behavioral1/files/0x0007000000015e3a-26.dat	UPX
behavioral1/files/0x0007000000015eaf-30.dat	UPX
behavioral1/files/0x0007000000015f6d-36.dat	UPX
behavioral1/files/0x0009000000015fe9-41.dat	UPX
behavioral1/files/0x0007000000016d1e-50.dat	UPX
behavioral1/files/0x0006000000016da7-71.dat	UPX
behavioral1/files/0x0006000000016eb2-95.dat	UPX
behavioral1/files/0x0006000000017052-100.dat	UPX
behavioral1/files/0x00060000000173d5-111.dat	UPX
behavioral1/memory/2524-109-0x000000013F950000-0x000000013FCA4000-memory.dmp	UPX
behavioral1/memory/2504-107-0x000000013FCE0000-0x0000000140034000-memory.dmp	UPX
behavioral1/memory/2784-106-0x000000013FAC0000-0x000000013FE14000-memory.dmp	UPX
behavioral1/files/0x0006000000016e94-90.dat	UPX
behavioral1/files/0x0006000000016dbf-85.dat	UPX
behavioral1/files/0x0006000000016dbb-80.dat	UPX
behavioral1/files/0x0031000000015d67-75.dat	UPX
behavioral1/files/0x0006000000016d90-65.dat	UPX
behavioral1/files/0x0006000000016d7e-60.dat	UPX
behavioral1/files/0x0006000000016d3a-55.dat	UPX
behavioral1/files/0x0009000000016117-46.dat	UPX
behavioral1/memory/2532-115-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/2604-113-0x000000013FED0000-0x0000000140224000-memory.dmp	UPX
behavioral1/memory/2032-117-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/memory/2652-119-0x000000013FA90000-0x000000013FDE4000-memory.dmp	UPX
behavioral1/memory/2572-120-0x000000013F630000-0x000000013F984000-memory.dmp	UPX
behavioral1/memory/2540-121-0x000000013F240000-0x000000013F594000-memory.dmp	UPX
behavioral1/memory/2372-122-0x000000013F270000-0x000000013F5C4000-memory.dmp	UPX
behavioral1/memory/2416-123-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
behavioral1/memory/1580-128-0x000000013FE40000-0x0000000140194000-memory.dmp	UPX
behavioral1/memory/2884-124-0x000000013F380000-0x000000013F6D4000-memory.dmp	UPX
behavioral1/memory/1992-126-0x000000013F940000-0x000000013FC94000-memory.dmp	UPX
behavioral1/memory/2000-130-0x000000013F3B0000-0x000000013F704000-memory.dmp	UPX
behavioral1/memory/2784-132-0x000000013FAC0000-0x000000013FE14000-memory.dmp	UPX
behavioral1/memory/2504-133-0x000000013FCE0000-0x0000000140034000-memory.dmp	UPX
behavioral1/memory/2524-131-0x000000013F950000-0x000000013FCA4000-memory.dmp	UPX
behavioral1/memory/2532-135-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/2604-134-0x000000013FED0000-0x0000000140224000-memory.dmp	UPX
behavioral1/memory/2032-136-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/memory/2652-137-0x000000013FA90000-0x000000013FDE4000-memory.dmp	UPX
behavioral1/memory/2572-138-0x000000013F630000-0x000000013F984000-memory.dmp	UPX
behavioral1/memory/2540-139-0x000000013F240000-0x000000013F594000-memory.dmp	UPX
behavioral1/memory/2372-140-0x000000013F270000-0x000000013F5C4000-memory.dmp	UPX
behavioral1/memory/2416-141-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
behavioral1/memory/2884-142-0x000000013F380000-0x000000013F6D4000-memory.dmp	UPX
behavioral1/memory/1992-143-0x000000013F940000-0x000000013FC94000-memory.dmp	UPX
behavioral1/memory/1580-144-0x000000013FE40000-0x0000000140194000-memory.dmp	UPX

XMRig Miner payload 53 IoCs

miner

resource	yara_rule
behavioral1/memory/2000-0-0x000000013F3B0000-0x000000013F704000-memory.dmp	xmrig
behavioral1/files/0x000b000000012257-6.dat	xmrig
behavioral1/files/0x000c00000001340b-10.dat	xmrig
behavioral1/files/0x0008000000015d87-14.dat	xmrig
behavioral1/files/0x0008000000015d8f-18.dat	xmrig
behavioral1/files/0x0007000000015e3a-26.dat	xmrig
behavioral1/files/0x0007000000015eaf-30.dat	xmrig
behavioral1/files/0x0007000000015f6d-36.dat	xmrig
behavioral1/files/0x0009000000015fe9-41.dat	xmrig
behavioral1/files/0x0007000000016d1e-50.dat	xmrig
behavioral1/files/0x0006000000016da7-71.dat	xmrig
behavioral1/files/0x0006000000016eb2-95.dat	xmrig
behavioral1/files/0x0006000000017052-100.dat	xmrig
behavioral1/files/0x00060000000173d5-111.dat	xmrig
behavioral1/memory/2000-110-0x000000013FED0000-0x0000000140224000-memory.dmp	xmrig
behavioral1/memory/2524-109-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2000-108-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2504-107-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/memory/2784-106-0x000000013FAC0000-0x000000013FE14000-memory.dmp	xmrig
behavioral1/files/0x0006000000016e94-90.dat	xmrig
behavioral1/files/0x0006000000016dbf-85.dat	xmrig
behavioral1/files/0x0006000000016dbb-80.dat	xmrig
behavioral1/files/0x0031000000015d67-75.dat	xmrig
behavioral1/files/0x0006000000016d90-65.dat	xmrig
behavioral1/files/0x0006000000016d7e-60.dat	xmrig
behavioral1/files/0x0006000000016d3a-55.dat	xmrig
behavioral1/files/0x0009000000016117-46.dat	xmrig
behavioral1/memory/2532-115-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2604-113-0x000000013FED0000-0x0000000140224000-memory.dmp	xmrig
behavioral1/memory/2032-117-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2652-119-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/memory/2572-120-0x000000013F630000-0x000000013F984000-memory.dmp	xmrig
behavioral1/memory/2540-121-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/2372-122-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
behavioral1/memory/2416-123-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
behavioral1/memory/1580-128-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/2884-124-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/memory/1992-126-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/2000-130-0x000000013F3B0000-0x000000013F704000-memory.dmp	xmrig
behavioral1/memory/2784-132-0x000000013FAC0000-0x000000013FE14000-memory.dmp	xmrig
behavioral1/memory/2504-133-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/memory/2524-131-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2532-135-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2604-134-0x000000013FED0000-0x0000000140224000-memory.dmp	xmrig
behavioral1/memory/2032-136-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2652-137-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/memory/2572-138-0x000000013F630000-0x000000013F984000-memory.dmp	xmrig
behavioral1/memory/2540-139-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/2372-140-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
behavioral1/memory/2416-141-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
behavioral1/memory/2884-142-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/memory/1992-143-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/1580-144-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2784	YqsNbfU.exe
2504	DrDivhW.exe
2524	WHcXFXf.exe
2604	ZTiKame.exe
2532	UaRrsPX.exe
2032	iXobjjf.exe
2652	disMIbP.exe
2572	HqluGkX.exe
2540	TTWHsHw.exe
2372	xUVJMQT.exe
2416	HgTzTEv.exe
2884	TDDsHXb.exe
1992	PRiciuK.exe
1580	PupqYgl.exe
1840	ZKPdHrU.exe
2564	FrunxwF.exe
2704	dJfCFyC.exe
2464	ojhnSXC.exe
2192	uCrDuIL.exe
984	egsqixx.exe
2172	AnRxUBv.exe

Loads dropped DLL 21 IoCs

pid	Process
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2000-0-0x000000013F3B0000-0x000000013F704000-memory.dmp	upx
behavioral1/files/0x000b000000012257-6.dat	upx
behavioral1/files/0x000c00000001340b-10.dat	upx
behavioral1/files/0x0008000000015d87-14.dat	upx
behavioral1/files/0x0008000000015d8f-18.dat	upx
behavioral1/files/0x0007000000015e3a-26.dat	upx
behavioral1/files/0x0007000000015eaf-30.dat	upx
behavioral1/files/0x0007000000015f6d-36.dat	upx
behavioral1/files/0x0009000000015fe9-41.dat	upx
behavioral1/files/0x0007000000016d1e-50.dat	upx
behavioral1/files/0x0006000000016da7-71.dat	upx
behavioral1/files/0x0006000000016eb2-95.dat	upx
behavioral1/files/0x0006000000017052-100.dat	upx
behavioral1/files/0x00060000000173d5-111.dat	upx
behavioral1/memory/2524-109-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2504-107-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/memory/2784-106-0x000000013FAC0000-0x000000013FE14000-memory.dmp	upx
behavioral1/files/0x0006000000016e94-90.dat	upx
behavioral1/files/0x0006000000016dbf-85.dat	upx
behavioral1/files/0x0006000000016dbb-80.dat	upx
behavioral1/files/0x0031000000015d67-75.dat	upx
behavioral1/files/0x0006000000016d90-65.dat	upx
behavioral1/files/0x0006000000016d7e-60.dat	upx
behavioral1/files/0x0006000000016d3a-55.dat	upx
behavioral1/files/0x0009000000016117-46.dat	upx
behavioral1/memory/2532-115-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2604-113-0x000000013FED0000-0x0000000140224000-memory.dmp	upx
behavioral1/memory/2032-117-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/2652-119-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/memory/2572-120-0x000000013F630000-0x000000013F984000-memory.dmp	upx
behavioral1/memory/2540-121-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/2372-122-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
behavioral1/memory/2416-123-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
behavioral1/memory/1580-128-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/2884-124-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/memory/1992-126-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/memory/2000-130-0x000000013F3B0000-0x000000013F704000-memory.dmp	upx
behavioral1/memory/2784-132-0x000000013FAC0000-0x000000013FE14000-memory.dmp	upx
behavioral1/memory/2504-133-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/memory/2524-131-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2532-135-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2604-134-0x000000013FED0000-0x0000000140224000-memory.dmp	upx
behavioral1/memory/2032-136-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/2652-137-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/memory/2572-138-0x000000013F630000-0x000000013F984000-memory.dmp	upx
behavioral1/memory/2540-139-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/2372-140-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
behavioral1/memory/2416-141-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
behavioral1/memory/2884-142-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/memory/1992-143-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/memory/1580-144-0x000000013FE40000-0x0000000140194000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\dJfCFyC.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DrDivhW.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iXobjjf.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\disMIbP.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HqluGkX.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PupqYgl.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ojhnSXC.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uCrDuIL.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YqsNbfU.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UaRrsPX.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xUVJMQT.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZKPdHrU.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FrunxwF.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\egsqixx.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AnRxUBv.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WHcXFXf.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TTWHsHw.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HgTzTEv.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TDDsHXb.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PRiciuK.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZTiKame.exe	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2784	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	29
PID 2000 wrote to memory of 2784	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	29
PID 2000 wrote to memory of 2784	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	29
PID 2000 wrote to memory of 2504	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	30
PID 2000 wrote to memory of 2504	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	30
PID 2000 wrote to memory of 2504	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	30
PID 2000 wrote to memory of 2524	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	31
PID 2000 wrote to memory of 2524	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	31
PID 2000 wrote to memory of 2524	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	31
PID 2000 wrote to memory of 2604	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	32
PID 2000 wrote to memory of 2604	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	32
PID 2000 wrote to memory of 2604	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	32
PID 2000 wrote to memory of 2532	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	33
PID 2000 wrote to memory of 2532	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	33
PID 2000 wrote to memory of 2532	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	33
PID 2000 wrote to memory of 2032	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	34
PID 2000 wrote to memory of 2032	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	34
PID 2000 wrote to memory of 2032	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	34
PID 2000 wrote to memory of 2652	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	35
PID 2000 wrote to memory of 2652	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	35
PID 2000 wrote to memory of 2652	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	35
PID 2000 wrote to memory of 2572	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	36
PID 2000 wrote to memory of 2572	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	36
PID 2000 wrote to memory of 2572	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	36
PID 2000 wrote to memory of 2540	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	37
PID 2000 wrote to memory of 2540	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	37
PID 2000 wrote to memory of 2540	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	37
PID 2000 wrote to memory of 2372	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	38
PID 2000 wrote to memory of 2372	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	38
PID 2000 wrote to memory of 2372	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	38
PID 2000 wrote to memory of 2416	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	39
PID 2000 wrote to memory of 2416	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	39
PID 2000 wrote to memory of 2416	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	39
PID 2000 wrote to memory of 2884	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	40
PID 2000 wrote to memory of 2884	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	40
PID 2000 wrote to memory of 2884	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	40
PID 2000 wrote to memory of 1992	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	41
PID 2000 wrote to memory of 1992	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	41
PID 2000 wrote to memory of 1992	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	41
PID 2000 wrote to memory of 1580	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	42
PID 2000 wrote to memory of 1580	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	42
PID 2000 wrote to memory of 1580	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	42
PID 2000 wrote to memory of 1840	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	43
PID 2000 wrote to memory of 1840	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	43
PID 2000 wrote to memory of 1840	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	43
PID 2000 wrote to memory of 2564	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	44
PID 2000 wrote to memory of 2564	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	44
PID 2000 wrote to memory of 2564	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	44
PID 2000 wrote to memory of 2704	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	45
PID 2000 wrote to memory of 2704	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	45
PID 2000 wrote to memory of 2704	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	45
PID 2000 wrote to memory of 2464	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	46
PID 2000 wrote to memory of 2464	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	46
PID 2000 wrote to memory of 2464	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	46
PID 2000 wrote to memory of 2192	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	47
PID 2000 wrote to memory of 2192	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	47
PID 2000 wrote to memory of 2192	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	47
PID 2000 wrote to memory of 984	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	48
PID 2000 wrote to memory of 984	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	48
PID 2000 wrote to memory of 984	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	48
PID 2000 wrote to memory of 2172	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	49
PID 2000 wrote to memory of 2172	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	49
PID 2000 wrote to memory of 2172	2000	2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_a608d83e6d1c6abb586c918ebc3fd3cf_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\System\YqsNbfU.exe
  C:\Windows\System\YqsNbfU.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\DrDivhW.exe
  C:\Windows\System\DrDivhW.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\WHcXFXf.exe
  C:\Windows\System\WHcXFXf.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\ZTiKame.exe
  C:\Windows\System\ZTiKame.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\UaRrsPX.exe
  C:\Windows\System\UaRrsPX.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\iXobjjf.exe
  C:\Windows\System\iXobjjf.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\disMIbP.exe
  C:\Windows\System\disMIbP.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\HqluGkX.exe
  C:\Windows\System\HqluGkX.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\TTWHsHw.exe
  C:\Windows\System\TTWHsHw.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\xUVJMQT.exe
  C:\Windows\System\xUVJMQT.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\HgTzTEv.exe
  C:\Windows\System\HgTzTEv.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\TDDsHXb.exe
  C:\Windows\System\TDDsHXb.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\PRiciuK.exe
  C:\Windows\System\PRiciuK.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System\PupqYgl.exe
  C:\Windows\System\PupqYgl.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\ZKPdHrU.exe
  C:\Windows\System\ZKPdHrU.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System\FrunxwF.exe
  C:\Windows\System\FrunxwF.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\dJfCFyC.exe
  C:\Windows\System\dJfCFyC.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\ojhnSXC.exe
  C:\Windows\System\ojhnSXC.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System\uCrDuIL.exe
  C:\Windows\System\uCrDuIL.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\egsqixx.exe
  C:\Windows\System\egsqixx.exe
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\System\AnRxUBv.exe
  C:\Windows\System\AnRxUBv.exe
  2⤵
  - Executes dropped EXE
  PID:2172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AnRxUBv.exe

Filesize
5.9MB

MD5
69390b9bf259a9815f16eb0cf53332a0

SHA1
6ed64dd2817dfb5089d6d9fb43903b5dc620a84a

SHA256
e70a5ea3dca444cbeb58a94cb35c4adbce14d1dce19395ed7daeb724f6843a2f

SHA512
f5c48bcbc295c15c13ee2d9a1b7c9f329dd83bffed386e81f7edb68a5bbb6cc1bc8a9b6d9446b0c91e2b66f45ca645cab4431888288813cbb0c62e9fc6b6f23e

Download Submit
C:\Windows\system\DrDivhW.exe

Filesize
5.9MB

MD5
b4cd2f12ea028aed726ab8e5f9cee24a

SHA1
d189fb33c0c2f3d33c81a78ad5acbb5fb0d63698

SHA256
44d1feaf7e0bc9b150aa7ec08e23849c64773720b23c2c2ef1e24a81ec96e279

SHA512
fff11b3e2e89909bb01631c3b6386c1667149442b934a00f386663f8b15bb4ad240bb72200b39e605edc451cd35f3713587c3076328ef2d59c811b2ca29ba2cc

Download Submit
C:\Windows\system\FrunxwF.exe

Filesize
5.9MB

MD5
d24c2ef63eecbec9ec22ec8e1470862b

SHA1
5d919a95ceecfa79a9b01a860a68547be3ba2b2b

SHA256
2afda3e4ba093f211622723b805ca43d27e5413787b331076664bf82f873c82a

SHA512
72266475dbe364ae0d04d53f40f8a1a65eeee56300e72bafc96455f2067050df5181c80de7289f0030e1443a6dc860a877f30df3e3eb85ac2f5f413b8cad5ce0

Download Submit
C:\Windows\system\HgTzTEv.exe

Filesize
5.9MB

MD5
b35d83bcd6c04b9165e7c0fbb1737ce7

SHA1
7acf742315c83541c66c2ba1b3d04f9ae5dcbe0c

SHA256
1da235b4bb264a2c4348a954e5728e8b19fcef911b8c11868515848cd2e12f07

SHA512
5953453cb6e59666591f321f8aa8fb99fc76ff7954cc7f7c39f468abaaa7cae5f4d36388be77d397b4938abb95f9423f561bd247a745d0992dc7c782d632da99

Download Submit
C:\Windows\system\HqluGkX.exe

Filesize
5.9MB

MD5
112bed52a3dbd48dd01ca6a003596ce3

SHA1
1fc9e7b6a441dfaf595fcbdfd33c9bbd0f46ca08

SHA256
c76b6652b425ce52221dadb9050824d1c9af67868b2851212896364a057514ae

SHA512
0f3767e8eef4b1fcf60d22b9b65121d81ec8478d7c7692675ccd4cdc6148504ad5aea4009d4205b95b87cce678987f380bfce49db0cd9b28f6ad723ddf4fb0d8

Download Submit
C:\Windows\system\PRiciuK.exe

Filesize
5.9MB

MD5
4f76356816d48b598b23f206ea3a1c74

SHA1
a38d2109f5cd8116006c071e9499a9d7ba074b73

SHA256
4a4da3ea21214a5172fb37e08514abc2707f1cb7c04800b321c3883941b4cbfd

SHA512
7306f5ca0513e50e397bd1b30021893ea99b63411bfb6e909c3d2b5f90f1b4d563b51b8b3fcced497abbf1955350d01bcdc2b7fc951835171942566e0e39a895

Download Submit
C:\Windows\system\PupqYgl.exe

Filesize
5.9MB

MD5
adebb5516d854b1b6ec9490219d08a70

SHA1
5261e8bed414aedc0019c5769bd10ecc25733fe9

SHA256
dfb9351ab42fd6fb9a3955b1736b9c06522b317c5419f830c8080fa4333efda8

SHA512
5e65b968dd1da6a0c6a423135f1d3a2c6137278ec7eaa7f1a878e39dd02bf426136b2a7d47d9c7031997fc37aba372781a813036e90dd0e4e9224a24e362e36d

Download Submit
C:\Windows\system\TDDsHXb.exe

Filesize
5.9MB

MD5
c36f32c812d0c2693552e001cdb6ca19

SHA1
16395fd93a6c194ee831b26ce87e3fb16aa9503b

SHA256
fbfe9571c4c441d5558030ae169c45eb439412d559b5c73a8fcbe1edc98c8352

SHA512
31e7ffc4c76c6c1e024cecebb1586326913cf18f15009b51b0a3c5145f5e958a7eb265e478ba08c9e1d5d22710cbb6eb5844358c2bae2fa5d50b6a58e5d621b0

Download Submit
C:\Windows\system\TTWHsHw.exe

Filesize
5.9MB

MD5
db8deab16d8d8f8f7a2c3ee31bc5048e

SHA1
ceb44032a1bea4ba580d110da2b9ae943adc82f3

SHA256
ad5c80c017fa32c0ba93e46e47736c7ad27619c84a9c440265e4ebab5fc84d32

SHA512
ad74b8b956475ca0d7eb23098113f6e8cc6e95bed31695b26b6acc1c3b9e41c24295804bc6235a265e9916b7dff11b273c2a8b31ce5b168dc32d2e03a9ee7e48

Download Submit
C:\Windows\system\UaRrsPX.exe

Filesize
5.9MB

MD5
66ba8a40773ddb28db97ddebb1589f85

SHA1
391a9382d4284ea53688c12a44d56cbfb452f80a

SHA256
ae6e73a0716530c5059d97a582b1daca68d6e35577db20898388bb315e71285b

SHA512
54b8fb8628bbdcf5c99455046d80c6dd26208f0c5af5e0c894ae517c769250e11119b1db710eaec6e0217779838657c24a139b606f211a1d4a2fcbf0c5d09229

Download Submit
C:\Windows\system\WHcXFXf.exe

Filesize
5.9MB

MD5
e1b2ce9968cae25a708af8f049b36cd4

SHA1
617d61c9d04e56a238dcd85d933c266877e1ddbb

SHA256
57010d70546db4ee5f0f947d8acbf6ac5a7dffd0b6f783da0c6d5e688354c2b3

SHA512
9921e1ad0d002ee75ad7de9974d48a373f29629d1dbe9008614eb378df2dd87b09cd3910598582765e057a13db3738c1b55cb32ea854b80eade4bd0db1fec9de

Download Submit
C:\Windows\system\YqsNbfU.exe

Filesize
5.9MB

MD5
e2c7eae65a8ba914919a457b7d6e6e03

SHA1
f106046e3667ee4287604e54336f3463677bd6f1

SHA256
f01ce4b4017c7b7d24de38a8b6d72b0793d54ca13c7933988d5155c076a4d06b

SHA512
6ccea9c08417acbbd56dd206522c029c3ad395455134b8403b33a329f6bd0668475767d0185f72c2b2f1d40465e89950b92e6c0d7a6c0e97eedb6c800cfffb8e

Download Submit
C:\Windows\system\ZKPdHrU.exe

Filesize
5.9MB

MD5
2b37dcf4341b0eb44acb54791777a9ab

SHA1
1f6d12d17f21325bab600554fc2268fbb859eae9

SHA256
b6ed1370f7ffb5fb941f122f472526062e767f512432557dae4861a45f80e823

SHA512
83e0fdd91a0019779e41c26e8f29ed770182f5b1c583a9a5a507c0add636910f8c57cc7770c1ff68bbdf8ef4e7f74aeab15483d0a64f4b81c527de506e42a0a9

Download Submit
C:\Windows\system\ZTiKame.exe

Filesize
5.9MB

MD5
d42d03cdc2055080110efa98dc9808d5

SHA1
c784e364a68d00b83a2456e1818c7108825eb18b

SHA256
139065ac19d9edc2ea17555a9413c241f9899dd83215361944759b6583e4fca9

SHA512
a7716b67fb6499b8ebacb788840f5b7120de13dd4a09a139582685be750c41d6edbf8c101fc8f4eab0b289345c9068c6fdab3d6013adf548b5c1b28cac082371

Download Submit
C:\Windows\system\dJfCFyC.exe

Filesize
5.9MB

MD5
bd90a224383e7ffcd96d4e817f842a82

SHA1
098934088deb92b7558d246dc5c0fe6e24012b31

SHA256
e7140c16e0dd09eaf1e622370f114139535560443fff9f8ddf324db54fd35c9f

SHA512
0d1e9f7ad4c931776c607f268ab2e28c7b762fd0b35d67e118e55617c2cdbe00ef1425b8805d793d6bb5390173ab86888300d74780426228db7f4d44075dc759

Download Submit
C:\Windows\system\disMIbP.exe

Filesize
5.9MB

MD5
4eda06cb49aa5000c0bfa98e26b6369b

SHA1
074b5851fb21a1511ce068cb5af98a6285bf540a

SHA256
fd0b7660b4b6206b001b6418c70ff73bccdcaba9597809a60e64c061424fc780

SHA512
736015713c2caad091d490650c8c9cedfcb1aae90193a6e1556d6c1be6fe82e603091f397020a0c1241e8bab72f44e9f2a9ffb08c64dd026582d50679e3431dd

Download Submit
C:\Windows\system\egsqixx.exe

Filesize
5.9MB

MD5
a07950d608494aa8a9bc1c86cff8c422

SHA1
bf1bca917595e5c35799c79a5793f4061cc8972a

SHA256
66d4cc24d13c5d96414c56a15e0626549eae65c2874606f4afab53a80eef229f

SHA512
9a93ead98d225829932466f7075226bf1dd3941450e4701a0f9488c93eed1bfbc6dcf01e0cf580138a10a40ff17cd7e7f11412e56cd7ad032b83453cd306827e

Download Submit
C:\Windows\system\iXobjjf.exe

Filesize
5.9MB

MD5
7f346884db5ee19920f03561b7751c87

SHA1
edde016eafbb0ee52d0eef04c1af75ec4b9bc567

SHA256
3c6ba38d50128fc7e4b63d9ed3bb0d06c0848d654cb7528650389e20c7498dc2

SHA512
813222aede51f5df1d8c99cb2b016ad9bbc96dab515dccc7b7b9a34884a7c4c96e932b85b4ef4a1cbbc77c165360fb16b1973d425750b7b0a71cca06f0038b16

Download Submit
C:\Windows\system\ojhnSXC.exe

Filesize
5.9MB

MD5
dac6b1e9cbef1ea283b9d6e3c19f99be

SHA1
a15a358d90c23f6c78b92ef48de94e18176088de

SHA256
7a39cce079d91a4d4ffb836926b1327e3a3bc6f200b99f4ef89df952eebcd3ae

SHA512
9b5b6ea164afa2f3edec3e07ba41ebb0d811e3f462fae1c3585683343b4d6112c77d82d7fef259b6cbec72cb0cdebd3c49365571c5c3f4bcf10cf437a2db3150

Download Submit
C:\Windows\system\uCrDuIL.exe

Filesize
5.9MB

MD5
55f17cb48ddd89a31b7abb0068e7e086

SHA1
5e5f7f3b139c6718a9ddd0412b44a8ed3c88c75d

SHA256
8f096061d78e6ac87c71f351a48893b6d7d87d72baa62dc14dab65c74e17ca2c

SHA512
e59ce8454724c0c9f7bec5b02d4d66f2463cdc1fc91cfd2f45a952eac65383228a11f54fe420bee2ad1af0d9dda9c52de63d9a9063d3c5868ff4f97f67639f09

Download Submit
C:\Windows\system\xUVJMQT.exe

Filesize
5.9MB

MD5
a7743133c8b6bdce8a6889ef2f6ba739

SHA1
d5063a7ae786c3427624e6ae7c8ed44252d1686c

SHA256
5ce559f50d4568580e911cc58cd3155d5f19575e07e3b36db5331453e6c20cf9

SHA512
d275f7bd293ef8d9417f50ff90a54c5a6b1f38ab529e98203a06f411ceda624787377a5acc0f7f5f298ef1ca9e206c0b429584a8a1942e2d707710fb1ca1d5f6

Download Submit
memory/1580-128-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/1580-144-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/1992-126-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/1992-143-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2000-130-0x000000013F3B0000-0x000000013F704000-memory.dmp

Filesize
3.3MB

Download
memory/2000-125-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2000-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2000-110-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/2000-0-0x000000013F3B0000-0x000000013F704000-memory.dmp

Filesize
3.3MB

Download
memory/2000-114-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2000-127-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/2000-116-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/2000-105-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2000-118-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2000-108-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2000-129-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2032-117-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2032-136-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2372-122-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2372-140-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2416-123-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/2416-141-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/2504-107-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2504-133-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2524-131-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-109-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2532-115-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2532-135-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2540-139-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2540-121-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2572-138-0x000000013F630000-0x000000013F984000-memory.dmp

Filesize
3.3MB

Download
memory/2572-120-0x000000013F630000-0x000000013F984000-memory.dmp

Filesize
3.3MB

Download
memory/2604-134-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/2604-113-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/2652-137-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-119-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2784-132-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2784-106-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2884-124-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2884-142-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download