cobaltstrike | 3c3fc6226215c67c9930a48aba0e7d1f78b3c7fef2e536c69d5c0ee72dba480a

Analysis

max time kernel
144s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

331d709d14967e321553b9ddfb2a4d1c
SHA1

11268077514ba43e1d44254c0d249f0c17348f9e
SHA256

3c3fc6226215c67c9930a48aba0e7d1f78b3c7fef2e536c69d5c0ee72dba480a
SHA512

a6ae3936e2bc54c3fffd5f7894165e5328e48fe9386967e3a3636b69f7ab92e9e6f044f54f07d77f0e74416011319daaa449bf8961cd44fd1ca2c8ccc8860e16
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU8:Q+856utgpPF8u/78

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000e00000001226b-6.dat	cobalt_reflective_dll
behavioral1/files/0x0036000000015c7f-7.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015cc7-12.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015ce3-17.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d02-39.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d0c-44.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cf0-35.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000165a8-66.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d34-107.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ce7-99.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c7a-98.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d1b-96.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cc3-89.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c56-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c71-79.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001686d-78.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016abb-71.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001663f-60.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d19-52.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d2c-110.dat	cobalt_reflective_dll
behavioral1/files/0x0035000000015c93-59.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000e00000001226b-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0036000000015c7f-7.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015cc7-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015ce3-17.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d02-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015d0c-44.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cf0-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000165a8-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d34-107.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016ce7-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c7a-98.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d1b-96.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cc3-89.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c56-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c71-79.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001686d-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016abb-71.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001663f-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015d19-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d2c-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0035000000015c93-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 48 IoCs

resource	yara_rule
behavioral1/memory/2972-1-0x000000013FC30000-0x000000013FF84000-memory.dmp	UPX
behavioral1/files/0x000e00000001226b-6.dat	UPX
behavioral1/files/0x0036000000015c7f-7.dat	UPX
behavioral1/files/0x0008000000015cc7-12.dat	UPX
behavioral1/memory/2432-20-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/files/0x0007000000015ce3-17.dat	UPX
behavioral1/files/0x0007000000015d02-39.dat	UPX
behavioral1/memory/2788-43-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/files/0x0008000000015d0c-44.dat	UPX
behavioral1/memory/2972-46-0x000000013FC30000-0x000000013FF84000-memory.dmp	UPX
behavioral1/memory/2684-36-0x000000013F660000-0x000000013F9B4000-memory.dmp	UPX
behavioral1/files/0x0007000000015cf0-35.dat	UPX
behavioral1/memory/1156-34-0x000000013FDD0000-0x0000000140124000-memory.dmp	UPX
behavioral1/memory/2644-32-0x000000013F640000-0x000000013F994000-memory.dmp	UPX
behavioral1/memory/1536-15-0x000000013F780000-0x000000013FAD4000-memory.dmp	UPX
behavioral1/files/0x00070000000165a8-66.dat	UPX
behavioral1/memory/2840-94-0x000000013F0E0000-0x000000013F434000-memory.dmp	UPX
behavioral1/memory/2472-113-0x000000013FFD0000-0x0000000140324000-memory.dmp	UPX
behavioral1/files/0x0006000000016d34-107.dat	UPX
behavioral1/files/0x0006000000016ce7-99.dat	UPX
behavioral1/files/0x0006000000016c7a-98.dat	UPX
behavioral1/files/0x0006000000016d1b-96.dat	UPX
behavioral1/files/0x0006000000016cc3-89.dat	UPX
behavioral1/files/0x0006000000016c56-82.dat	UPX
behavioral1/files/0x0006000000016c71-79.dat	UPX
behavioral1/files/0x000600000001686d-78.dat	UPX
behavioral1/files/0x0006000000016abb-71.dat	UPX
behavioral1/memory/2576-64-0x000000013F360000-0x000000013F6B4000-memory.dmp	UPX
behavioral1/files/0x000600000001663f-60.dat	UPX
behavioral1/memory/2644-123-0x000000013F640000-0x000000013F994000-memory.dmp	UPX
behavioral1/files/0x0008000000015d19-52.dat	UPX
behavioral1/files/0x0006000000016d2c-110.dat	UPX
behavioral1/memory/2580-87-0x000000013F5D0000-0x000000013F924000-memory.dmp	UPX
behavioral1/memory/2432-68-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/files/0x0035000000015c93-59.dat	UPX
behavioral1/memory/1156-124-0x000000013FDD0000-0x0000000140124000-memory.dmp	UPX
behavioral1/memory/2684-133-0x000000013F660000-0x000000013F9B4000-memory.dmp	UPX
behavioral1/memory/2576-134-0x000000013F360000-0x000000013F6B4000-memory.dmp	UPX
behavioral1/memory/1536-135-0x000000013F780000-0x000000013FAD4000-memory.dmp	UPX
behavioral1/memory/2432-136-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/2644-137-0x000000013F640000-0x000000013F994000-memory.dmp	UPX
behavioral1/memory/1156-138-0x000000013FDD0000-0x0000000140124000-memory.dmp	UPX
behavioral1/memory/2788-139-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/memory/2684-140-0x000000013F660000-0x000000013F9B4000-memory.dmp	UPX
behavioral1/memory/2576-141-0x000000013F360000-0x000000013F6B4000-memory.dmp	UPX
behavioral1/memory/2580-142-0x000000013F5D0000-0x000000013F924000-memory.dmp	UPX
behavioral1/memory/2472-143-0x000000013FFD0000-0x0000000140324000-memory.dmp	UPX
behavioral1/memory/2840-144-0x000000013F0E0000-0x000000013F434000-memory.dmp	UPX

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral1/memory/2972-1-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/files/0x000e00000001226b-6.dat	xmrig
behavioral1/files/0x0036000000015c7f-7.dat	xmrig
behavioral1/files/0x0008000000015cc7-12.dat	xmrig
behavioral1/memory/2432-20-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/files/0x0007000000015ce3-17.dat	xmrig
behavioral1/files/0x0007000000015d02-39.dat	xmrig
behavioral1/memory/2788-43-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d0c-44.dat	xmrig
behavioral1/memory/2972-46-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/memory/2684-36-0x000000013F660000-0x000000013F9B4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015cf0-35.dat	xmrig
behavioral1/memory/1156-34-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/2644-32-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/memory/1536-15-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/files/0x00070000000165a8-66.dat	xmrig
behavioral1/memory/2840-94-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
behavioral1/memory/2472-113-0x000000013FFD0000-0x0000000140324000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d34-107.dat	xmrig
behavioral1/files/0x0006000000016ce7-99.dat	xmrig
behavioral1/files/0x0006000000016c7a-98.dat	xmrig
behavioral1/files/0x0006000000016d1b-96.dat	xmrig
behavioral1/files/0x0006000000016cc3-89.dat	xmrig
behavioral1/files/0x0006000000016c56-82.dat	xmrig
behavioral1/files/0x0006000000016c71-79.dat	xmrig
behavioral1/files/0x000600000001686d-78.dat	xmrig
behavioral1/files/0x0006000000016abb-71.dat	xmrig
behavioral1/memory/2576-64-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/files/0x000600000001663f-60.dat	xmrig
behavioral1/memory/2644-123-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d19-52.dat	xmrig
behavioral1/files/0x0006000000016d2c-110.dat	xmrig
behavioral1/memory/2580-87-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/memory/2432-68-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/files/0x0035000000015c93-59.dat	xmrig
behavioral1/memory/1156-124-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/2684-133-0x000000013F660000-0x000000013F9B4000-memory.dmp	xmrig
behavioral1/memory/2576-134-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/1536-135-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/memory/2432-136-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/2644-137-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/memory/1156-138-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/2788-139-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2684-140-0x000000013F660000-0x000000013F9B4000-memory.dmp	xmrig
behavioral1/memory/2576-141-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/2580-142-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/memory/2472-143-0x000000013FFD0000-0x0000000140324000-memory.dmp	xmrig
behavioral1/memory/2840-144-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1536	OzwFmWw.exe
2432	YRZnlQs.exe
2644	ednbosU.exe
1156	CnLCBQp.exe
2684	VFMiJrK.exe
2788	wWOmXaZ.exe
2576	CnNVDxA.exe
2580	FwKjOMO.exe
2472	HppnSSZ.exe
2840	OKjtYhu.exe
2888	QKEKBwg.exe
2020	YPOmlGR.exe
1952	PdhGWjy.exe
2652	LbNQdmq.exe
2536	AEQkSMZ.exe
2224	jRbKLSD.exe
1572	ydHYbkG.exe
2712	dFldRiu.exe
2980	WtEtJrX.exe
1976	rVgYNxb.exe
1032	BzpgWyS.exe

Loads dropped DLL 21 IoCs

pid	Process
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2972-1-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/files/0x000e00000001226b-6.dat	upx
behavioral1/files/0x0036000000015c7f-7.dat	upx
behavioral1/files/0x0008000000015cc7-12.dat	upx
behavioral1/memory/2432-20-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/files/0x0007000000015ce3-17.dat	upx
behavioral1/files/0x0007000000015d02-39.dat	upx
behavioral1/memory/2788-43-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/files/0x0008000000015d0c-44.dat	upx
behavioral1/memory/2972-46-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/memory/2684-36-0x000000013F660000-0x000000013F9B4000-memory.dmp	upx
behavioral1/files/0x0007000000015cf0-35.dat	upx
behavioral1/memory/1156-34-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
behavioral1/memory/2644-32-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/memory/1536-15-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/files/0x00070000000165a8-66.dat	upx
behavioral1/memory/2840-94-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx
behavioral1/memory/2472-113-0x000000013FFD0000-0x0000000140324000-memory.dmp	upx
behavioral1/files/0x0006000000016d34-107.dat	upx
behavioral1/files/0x0006000000016ce7-99.dat	upx
behavioral1/files/0x0006000000016c7a-98.dat	upx
behavioral1/files/0x0006000000016d1b-96.dat	upx
behavioral1/files/0x0006000000016cc3-89.dat	upx
behavioral1/files/0x0006000000016c56-82.dat	upx
behavioral1/files/0x0006000000016c71-79.dat	upx
behavioral1/files/0x000600000001686d-78.dat	upx
behavioral1/files/0x0006000000016abb-71.dat	upx
behavioral1/memory/2576-64-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/files/0x000600000001663f-60.dat	upx
behavioral1/memory/2644-123-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/files/0x0008000000015d19-52.dat	upx
behavioral1/files/0x0006000000016d2c-110.dat	upx
behavioral1/memory/2580-87-0x000000013F5D0000-0x000000013F924000-memory.dmp	upx
behavioral1/memory/2432-68-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/files/0x0035000000015c93-59.dat	upx
behavioral1/memory/1156-124-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
behavioral1/memory/2684-133-0x000000013F660000-0x000000013F9B4000-memory.dmp	upx
behavioral1/memory/2576-134-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/memory/1536-135-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/memory/2432-136-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/2644-137-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/memory/1156-138-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
behavioral1/memory/2788-139-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/2684-140-0x000000013F660000-0x000000013F9B4000-memory.dmp	upx
behavioral1/memory/2576-141-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/memory/2580-142-0x000000013F5D0000-0x000000013F924000-memory.dmp	upx
behavioral1/memory/2472-143-0x000000013FFD0000-0x0000000140324000-memory.dmp	upx
behavioral1/memory/2840-144-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\AEQkSMZ.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WtEtJrX.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BzpgWyS.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FwKjOMO.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jRbKLSD.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OKjtYhu.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dFldRiu.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rVgYNxb.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CnNVDxA.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HppnSSZ.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QKEKBwg.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YRZnlQs.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CnLCBQp.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ednbosU.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VFMiJrK.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wWOmXaZ.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PdhGWjy.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OzwFmWw.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LbNQdmq.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ydHYbkG.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YPOmlGR.exe	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 1536	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	29
PID 2972 wrote to memory of 1536	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	29
PID 2972 wrote to memory of 1536	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	29
PID 2972 wrote to memory of 2432	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	30
PID 2972 wrote to memory of 2432	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	30
PID 2972 wrote to memory of 2432	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	30
PID 2972 wrote to memory of 1156	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	31
PID 2972 wrote to memory of 1156	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	31
PID 2972 wrote to memory of 1156	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	31
PID 2972 wrote to memory of 2644	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	32
PID 2972 wrote to memory of 2644	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	32
PID 2972 wrote to memory of 2644	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	32
PID 2972 wrote to memory of 2684	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	33
PID 2972 wrote to memory of 2684	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	33
PID 2972 wrote to memory of 2684	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	33
PID 2972 wrote to memory of 2788	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	34
PID 2972 wrote to memory of 2788	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	34
PID 2972 wrote to memory of 2788	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	34
PID 2972 wrote to memory of 2652	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	35
PID 2972 wrote to memory of 2652	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	35
PID 2972 wrote to memory of 2652	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	35
PID 2972 wrote to memory of 2576	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	36
PID 2972 wrote to memory of 2576	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	36
PID 2972 wrote to memory of 2576	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	36
PID 2972 wrote to memory of 2536	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	37
PID 2972 wrote to memory of 2536	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	37
PID 2972 wrote to memory of 2536	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	37
PID 2972 wrote to memory of 2580	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	38
PID 2972 wrote to memory of 2580	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	38
PID 2972 wrote to memory of 2580	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	38
PID 2972 wrote to memory of 2224	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	39
PID 2972 wrote to memory of 2224	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	39
PID 2972 wrote to memory of 2224	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	39
PID 2972 wrote to memory of 2472	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	40
PID 2972 wrote to memory of 2472	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	40
PID 2972 wrote to memory of 2472	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	40
PID 2972 wrote to memory of 1572	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	41
PID 2972 wrote to memory of 1572	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	41
PID 2972 wrote to memory of 1572	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	41
PID 2972 wrote to memory of 2840	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	42
PID 2972 wrote to memory of 2840	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	42
PID 2972 wrote to memory of 2840	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	42
PID 2972 wrote to memory of 2712	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	43
PID 2972 wrote to memory of 2712	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	43
PID 2972 wrote to memory of 2712	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	43
PID 2972 wrote to memory of 2888	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	44
PID 2972 wrote to memory of 2888	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	44
PID 2972 wrote to memory of 2888	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	44
PID 2972 wrote to memory of 2980	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	45
PID 2972 wrote to memory of 2980	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	45
PID 2972 wrote to memory of 2980	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	45
PID 2972 wrote to memory of 2020	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	46
PID 2972 wrote to memory of 2020	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	46
PID 2972 wrote to memory of 2020	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	46
PID 2972 wrote to memory of 1976	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	47
PID 2972 wrote to memory of 1976	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	47
PID 2972 wrote to memory of 1976	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	47
PID 2972 wrote to memory of 1952	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	48
PID 2972 wrote to memory of 1952	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	48
PID 2972 wrote to memory of 1952	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	48
PID 2972 wrote to memory of 1032	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	49
PID 2972 wrote to memory of 1032	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	49
PID 2972 wrote to memory of 1032	2972	2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_331d709d14967e321553b9ddfb2a4d1c_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\System\OzwFmWw.exe
  C:\Windows\System\OzwFmWw.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\YRZnlQs.exe
  C:\Windows\System\YRZnlQs.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\CnLCBQp.exe
  C:\Windows\System\CnLCBQp.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\ednbosU.exe
  C:\Windows\System\ednbosU.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\VFMiJrK.exe
  C:\Windows\System\VFMiJrK.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\wWOmXaZ.exe
  C:\Windows\System\wWOmXaZ.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\LbNQdmq.exe
  C:\Windows\System\LbNQdmq.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\CnNVDxA.exe
  C:\Windows\System\CnNVDxA.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\AEQkSMZ.exe
  C:\Windows\System\AEQkSMZ.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\FwKjOMO.exe
  C:\Windows\System\FwKjOMO.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\jRbKLSD.exe
  C:\Windows\System\jRbKLSD.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\HppnSSZ.exe
  C:\Windows\System\HppnSSZ.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\ydHYbkG.exe
  C:\Windows\System\ydHYbkG.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\OKjtYhu.exe
  C:\Windows\System\OKjtYhu.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\dFldRiu.exe
  C:\Windows\System\dFldRiu.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\QKEKBwg.exe
  C:\Windows\System\QKEKBwg.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\WtEtJrX.exe
  C:\Windows\System\WtEtJrX.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\YPOmlGR.exe
  C:\Windows\System\YPOmlGR.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\rVgYNxb.exe
  C:\Windows\System\rVgYNxb.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\PdhGWjy.exe
  C:\Windows\System\PdhGWjy.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\BzpgWyS.exe
  C:\Windows\System\BzpgWyS.exe
  2⤵
  - Executes dropped EXE
  PID:1032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CnNVDxA.exe

Filesize
5.9MB

MD5
848685fdd8762d84ee026590b7e68985

SHA1
eb9cdc96a917af6dce3202b4434033d84352b087

SHA256
977c9b5dcde98ac798d0324372a747acc33ce8f625d851d5f27512c14922c610

SHA512
407a6802be2fb440d45705bdfedc9e1d012a75db3ce67c4464d1507bfffd75d1725133c8510b14a36130b2ea9494da0792c8c51b321761a35914429d70ccc4e9

Download Submit
C:\Windows\system\FwKjOMO.exe

Filesize
5.9MB

MD5
3b21cc23cc7ccdf74173142e742cdeb2

SHA1
2e384fb5d40fe45294c9832008770d7607c8edbf

SHA256
4f37cdeea3753b2ba494c65e110c48e0678e842e918148b3afe5f3b991a8d9dc

SHA512
6b848e8ba4d4f927c7562b505bf4cb32050b1db0fc04cc5aa4bc088a78858b06a041d455c77344fe629944c7c75bf57de1d7bd69015d85c6de36ff82c18127ec

Download Submit
C:\Windows\system\HppnSSZ.exe

Filesize
5.9MB

MD5
34c059cb57f50b7e1348023595585031

SHA1
6305671b86883c6b7d98e259535012a630a57ab8

SHA256
d7db27ddf0747793f295cedfefbf4af6926bcdefd38d6a5a8c893b62351241ed

SHA512
1a11ed35dc19d91a3a55ccaa7eab86b309c68db21dc23841c990d6a5e8d96c893b8be3a50262efc9868fb7198fdfc3d025e85f5de328c8cd21704c840557f44d

Download Submit
C:\Windows\system\OKjtYhu.exe

Filesize
5.9MB

MD5
2bc40b2ee258769c4191a99761255083

SHA1
43193fb0397ab3a80f6ba6dce753f40366700647

SHA256
1b02b68381c68d7b7dfb9ce267369027cc6a17c351254ddfcd23465cdcf26ad3

SHA512
ed3a29cceb3ede2e6bca23fca7a1747185bb445d60f51b6e7a5f377c249efe23e6d3cff9fbbf5036d43750091bfc6e1ea43d98e7bc9d4be3b069ffa64ffac5d6

Download Submit
C:\Windows\system\OzwFmWw.exe

Filesize
5.9MB

MD5
ee489922c39db443118f988498a30f7b

SHA1
a738513afa0500354b158c0d9b0d5eb35bad1533

SHA256
0b92a2529752cb543f2aa8dd2fd730b87e1a785d81fd429e2f2ce7addda32276

SHA512
ac7ae733f075b071e00ca1ebec37110eab6553f8f7b399573c7b2c0f890d4a0673b23b806aab857117d80a7ad7ecf21eecf9b20ec835fd190bb174652ad87473

Download Submit
C:\Windows\system\PdhGWjy.exe

Filesize
5.9MB

MD5
473b9ed3da928f797f296b1502161546

SHA1
d83b7417466b0e95362b55eb18370aef12f81afd

SHA256
93a1daae06813824c8bbdc156464b7baefb3c619694c81f495b07929bdf2333c

SHA512
8138f3042d93d67a405c0c2fe79bb86e5b4c87b247309e73474e31a9d1da97f44b519897e030d465a616df4f8f9da8efbc0265417895a0ca22eea5558783da1c

Download Submit
C:\Windows\system\QKEKBwg.exe

Filesize
5.9MB

MD5
0faac172d206bae9a3591b14344dec3b

SHA1
085eda7eae120de0a312a851d24c1ee4adf3a922

SHA256
ddfec000300b3f31f089bfeb367773a123f9ce2f1731dd856af1ba25c29b35c8

SHA512
de1df2e75da6c8ae9018ca00699acb4da54e862cc6a6c6d7cb7717d5b40df1b6f58b76ee87beda5e66012215826cb454bcc65866b7c9bf8a4cec5304abc755cd

Download Submit
C:\Windows\system\VFMiJrK.exe

Filesize
5.9MB

MD5
169c3acbecca05dacf4d7171f7cf864e

SHA1
9243de6a4d10f8cbaf7df80b2c62d5dcacec3040

SHA256
a481a795fd4b64d9408105587ca45fffdf7eaa7fbd68e21114ca64df6840da11

SHA512
9a809783dbb3c6601ec33922b8c45c5f3dd4b1dc5e1522f44c7247acb6ec95e8f689121cc3f57d0489122eb522e0fd4c24e2c176b89cdd487a7fcf85c91dfb60

Download Submit
C:\Windows\system\YPOmlGR.exe

Filesize
5.9MB

MD5
7c225930e9d3e10363ac2fe2f3ad4172

SHA1
acfce0b50f9e86177d4f0f645636ef09e0246a21

SHA256
45234e2921793b88d0c74fed57bef64df1b4ce74eae76ee800a5e77d9589952d

SHA512
89a5e6b467d7d4decec9efc286aed06fc975999a830de9231b7261d8b971926856b223a588db9017a3edc96d7e4a2e31d40a1c8a03de36faaff8bd5b0b3cb336

Download Submit
C:\Windows\system\wWOmXaZ.exe

Filesize
5.9MB

MD5
f54c0617a2abaee330579bc93d2895a4

SHA1
d94019155497eb028c50023c964357a8adf7ff1e

SHA256
974f98d736b36d7dac71faf0f3570bbf70e6e87fe4a59ffd96bfb4cf691cac2d

SHA512
95044a32bcb638e0dcce6cd8cb82cc9edb18894c0cb770ea8bb5a1555591f2922ab8d9bd9f5fb691a723801638730f67f77cb8a5f5823e10aa5aae8c36c95949

Download Submit
\Windows\system\AEQkSMZ.exe

Filesize
5.9MB

MD5
0a2544112c625f742add0e6f793765c3

SHA1
c8c551e107702d5d37142ca0f10fbbcfe6709217

SHA256
4c290d71aa9167738dce53ffaa514a20ac1917c348d7c120ad4aa76b06a18102

SHA512
17da7d55a3d8eb19c212d50d01e909fd6bb0c57daa666fd1975a39004a6bef76e0262930e1729713c2bf818b0d2d17e0c22119894adf3688e313adbb104cecae

Download Submit
\Windows\system\BzpgWyS.exe

Filesize
5.9MB

MD5
85f1269648700c01dab2c0df6dfc912c

SHA1
32f507273e32f441e05d60babfcfbe723e16498f

SHA256
16bbd560ddb0df2e5739e422d37f10467ed2b2d53f202fc765594c8dbe26e975

SHA512
b8f2eef5c7f63103a59e026b718cb8ea3aca70c4efe0a989cb55f1205e54b488e721f2f30dcdc1811fda076885e0111254403f92b681415bb87390bbb1183022

Download Submit
\Windows\system\CnLCBQp.exe

Filesize
5.9MB

MD5
09c07830ad382026a0202e5d51d85635

SHA1
d1f226c5e389cb4b2203dbaebd12923e12ddb8ea

SHA256
f14ac1cfcc1f84442649522f9165ad21d1e003bb54c362513f6d3ba67e84487c

SHA512
297935135708925da8aa7ea55a6fe264addc7be5818cf71340caccfe6b5582a45ce07c1ffbd56a44c9ef3fab913e8927e417300189bd0f9cd5919aa1e24115e9

Download Submit
\Windows\system\LbNQdmq.exe

Filesize
5.9MB

MD5
c6834f9fe1d8059bfcd618f11f1c9bf6

SHA1
2744d49ebb91fb64907480349d170661548cd9ee

SHA256
e8b453eba54fa3d2b48f7dfb3c533fc33458e3065dafd2b2f18c1b88fba316f8

SHA512
b2e1f94ea549a5880bab6ec16255cc715b605582447e9940300d7a26ccb9f2c195f5cbadbe30cdbb5307cb51b2331b7d201f121dd74fbf0fbdb1c0b9c20078f8

Download Submit
\Windows\system\WtEtJrX.exe

Filesize
5.9MB

MD5
d3435ffcaea817c23591605ea97e7952

SHA1
64ce4dd6ca0e55a644f0b9081891999cad564bde

SHA256
71d736dd266c50c8a83f8848ae75243ed8be1334f9c0aea09c41ec6fc5e6079c

SHA512
d080a5d0747e07719430fc28650d7e9d0f13640789b6e93f1ebca73ac85848dee61f9d0ee98b9c36fce362d68889d12692f3e9c53ef536375543f2c7b28f34f7

Download Submit
\Windows\system\YRZnlQs.exe

Filesize
5.9MB

MD5
184c84a2117b61c3ab6234c7a7acd1bf

SHA1
757fc49be226a9e3231bc33f7593841cf325573c

SHA256
fda326d8e92dd17174468cd7f2d516afc488f03c4b9af430d93b303375001300

SHA512
2a1dd871462861692412c4012a034853f9b62a31fcfb60978331ed1db735eb1db4a1650b7e802525096aaf38232e0678dc43c2d93b4a2213ae06b20e4051af26

Download Submit
\Windows\system\dFldRiu.exe

Filesize
5.9MB

MD5
407f220db4f2d0cff54c90b6c4794ac8

SHA1
92fa671f6d0032f5722368a860a8963e8354b082

SHA256
6b7845f7e366a0a288c3933ee8ff55579e662faeb4b8a6862bfd4095449d609d

SHA512
b19c41d54137303c56f9d0070eae03e709a33ee00ef273c52a7bf70da60d1cc60ac5fec718253bef3455c9c8c92e02cae45cf5eeda8b42481c6e66f5d0df7a26

Download Submit
\Windows\system\ednbosU.exe

Filesize
5.9MB

MD5
3b7d34a1d765a57e964a4bbad60bcffe

SHA1
bb0e8d37bb8f33189efc10f01d29a20be863770f

SHA256
47affc71bbff88e9149c25f3b30da422d90b09abd09bf4f79d9161e93a63eb2d

SHA512
c10fd7bea7fa417ca5dcff3a2992d2d7dbab0408b0e40addf517be0b568852a358cb285942247a5e70405ca2cf7a5feb39a80e623be7438f456c5dec6cf1c021

Download Submit
\Windows\system\jRbKLSD.exe

Filesize
5.9MB

MD5
71b77dba1d5e08304736e18846f767d7

SHA1
9df41ac6f74f4dc44d09c6d5f5fc8ca9934adf52

SHA256
0aeada957d2e8801ff2d06b05725c5f58a532578574cc4a2df72e809e2a894ba

SHA512
5acb311794bc8c83dd1727401c51a195ae6e4667d780d6d6290d3303a3c73f090c49a30e8593a5287613abac01d3f4eb4c70460c87e8a579ddcdc7ab5c4861a1

Download Submit
\Windows\system\rVgYNxb.exe

Filesize
5.9MB

MD5
3152d47bf8a1ee48a2139574a3c151d6

SHA1
5efd1b1eec07e056fae5ce19bb8ee70fc34cd84e

SHA256
a8cfbac8a2622383820a226b7d07dded94cf22136f8f3c4594f142e8607246cb

SHA512
e0547b0c54d3f81272b9358d1a92794a893a4f0370480062704c32c6deb341f2801b3185a371ce7fc31b6b46f103c4ffc48a4b05118950ade4c4972f2b33365b

Download Submit
\Windows\system\ydHYbkG.exe

Filesize
5.9MB

MD5
7bf6b00acdb328a06002f62fdd83a009

SHA1
e019d1da09a4e56b57f89b247a7cf30b0643c7ff

SHA256
90ff75ad0e25d1fe24affd805c0be4da45e0e01493084db78edef01b1aa17ab9

SHA512
a299d4b344030bd5952993cfb4109a444dc79ac874b94173f544115d25333ed3a8ab424a55ffcdd9d9a22537ec4e933b09d92d25acf8814b19b1cf6311cd71d2

Download Submit
memory/1156-34-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/1156-124-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/1156-138-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/1536-15-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/1536-135-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2432-136-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2432-20-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2432-68-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2472-143-0x000000013FFD0000-0x0000000140324000-memory.dmp

Filesize
3.3MB

Download
memory/2472-113-0x000000013FFD0000-0x0000000140324000-memory.dmp

Filesize
3.3MB

Download
memory/2576-134-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-141-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-64-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-87-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/2580-142-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/2644-123-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2644-137-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2644-32-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2684-36-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2684-140-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2684-133-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2788-43-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2788-139-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2840-144-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2840-94-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2972-0-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2972-1-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2972-77-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2972-106-0x000000013FFD0000-0x0000000140324000-memory.dmp

Filesize
3.3MB

Download
memory/2972-11-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2972-111-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2972-114-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

Filesize
3.3MB

Download
memory/2972-53-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2972-42-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2972-46-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2972-29-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2972-28-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/2972-26-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2972-24-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2972-109-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download