cobaltstrike | 533968da5f70b15825c3d38ac86568d335d754e3ebdfc6d22b3fdc90f72b8416

Analysis

max time kernel
137s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-06-2024 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

012d7d7aba617660dc8fd939a0de7d65
SHA1

7edf54e4717d322538140882cc36ac9df4cc2d69
SHA256

533968da5f70b15825c3d38ac86568d335d754e3ebdfc6d22b3fdc90f72b8416
SHA512

6d9fda5603796731f96d1d7d27a18f4e9cdd461768a04148c2dc47aecee92f7e0d170bccad881fa505bc72263a7446a1761e31c454cf3a75d27e7db816ff8ba5
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUT:Q+856utgpPF8u/7T

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d000000014708-6.dat	cobalt_reflective_dll
behavioral1/files/0x002f000000014b63-8.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014f71-12.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015653-17.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015659-23.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015661-30.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001567f-38.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d67-41.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d6f-45.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d79-49.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d87-53.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d8f-57.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015e3a-63.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015f6d-73.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001630b-89.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000164b2-93.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000161e7-85.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016117-81.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015fe9-77.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015eaf-69.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d9b-61.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000d000000014708-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002f000000014b63-8.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014f71-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015653-17.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015659-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015661-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000900000001567f-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d67-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d6f-45.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d79-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d87-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d8f-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015e3a-63.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015f6d-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001630b-89.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000164b2-93.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000161e7-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016117-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015fe9-77.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015eaf-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d9b-61.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 51 IoCs

resource	yara_rule
behavioral1/memory/2056-0-0x000000013FCD0000-0x0000000140024000-memory.dmp	UPX
behavioral1/files/0x000d000000014708-6.dat	UPX
behavioral1/files/0x002f000000014b63-8.dat	UPX
behavioral1/files/0x0008000000014f71-12.dat	UPX
behavioral1/files/0x0007000000015653-17.dat	UPX
behavioral1/files/0x0007000000015659-23.dat	UPX
behavioral1/files/0x0007000000015661-30.dat	UPX
behavioral1/files/0x000900000001567f-38.dat	UPX
behavioral1/files/0x0007000000015d67-41.dat	UPX
behavioral1/files/0x0006000000015d6f-45.dat	UPX
behavioral1/files/0x0006000000015d79-49.dat	UPX
behavioral1/files/0x0006000000015d87-53.dat	UPX
behavioral1/files/0x0006000000015d8f-57.dat	UPX
behavioral1/files/0x0006000000015e3a-63.dat	UPX
behavioral1/files/0x0006000000015f6d-73.dat	UPX
behavioral1/files/0x000600000001630b-89.dat	UPX
behavioral1/files/0x00060000000164b2-93.dat	UPX
behavioral1/files/0x00060000000161e7-85.dat	UPX
behavioral1/files/0x0006000000016117-81.dat	UPX
behavioral1/files/0x0006000000015fe9-77.dat	UPX
behavioral1/files/0x0006000000015eaf-69.dat	UPX
behavioral1/files/0x0006000000015d9b-61.dat	UPX
behavioral1/memory/2392-34-0x000000013F880000-0x000000013FBD4000-memory.dmp	UPX
behavioral1/memory/2552-102-0x000000013F420000-0x000000013F774000-memory.dmp	UPX
behavioral1/memory/2724-110-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/memory/1948-118-0x000000013FDD0000-0x0000000140124000-memory.dmp	UPX
behavioral1/memory/2620-116-0x000000013F570000-0x000000013F8C4000-memory.dmp	UPX
behavioral1/memory/2568-120-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	UPX
behavioral1/memory/2604-127-0x000000013F360000-0x000000013F6B4000-memory.dmp	UPX
behavioral1/memory/2776-125-0x000000013F390000-0x000000013F6E4000-memory.dmp	UPX
behavioral1/memory/2032-124-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/memory/2492-122-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/2060-121-0x000000013F9C0000-0x000000013FD14000-memory.dmp	UPX
behavioral1/memory/2468-119-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
behavioral1/memory/2140-114-0x000000013F360000-0x000000013F6B4000-memory.dmp	UPX
behavioral1/memory/2732-113-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2056-129-0x000000013FCD0000-0x0000000140024000-memory.dmp	UPX
behavioral1/memory/2776-130-0x000000013F390000-0x000000013F6E4000-memory.dmp	UPX
behavioral1/memory/2392-131-0x000000013F880000-0x000000013FBD4000-memory.dmp	UPX
behavioral1/memory/2552-132-0x000000013F420000-0x000000013F774000-memory.dmp	UPX
behavioral1/memory/2724-133-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/memory/2604-135-0x000000013F360000-0x000000013F6B4000-memory.dmp	UPX
behavioral1/memory/2732-134-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2492-138-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/1948-137-0x000000013FDD0000-0x0000000140124000-memory.dmp	UPX
behavioral1/memory/2140-136-0x000000013F360000-0x000000013F6B4000-memory.dmp	UPX
behavioral1/memory/2620-140-0x000000013F570000-0x000000013F8C4000-memory.dmp	UPX
behavioral1/memory/2568-139-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	UPX
behavioral1/memory/2060-142-0x000000013F9C0000-0x000000013FD14000-memory.dmp	UPX
behavioral1/memory/2468-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
behavioral1/memory/2032-143-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX

XMRig Miner payload 54 IoCs

miner

resource	yara_rule
behavioral1/memory/2056-0-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/files/0x000d000000014708-6.dat	xmrig
behavioral1/files/0x002f000000014b63-8.dat	xmrig
behavioral1/files/0x0008000000014f71-12.dat	xmrig
behavioral1/files/0x0007000000015653-17.dat	xmrig
behavioral1/files/0x0007000000015659-23.dat	xmrig
behavioral1/files/0x0007000000015661-30.dat	xmrig
behavioral1/files/0x000900000001567f-38.dat	xmrig
behavioral1/files/0x0007000000015d67-41.dat	xmrig
behavioral1/files/0x0006000000015d6f-45.dat	xmrig
behavioral1/files/0x0006000000015d79-49.dat	xmrig
behavioral1/files/0x0006000000015d87-53.dat	xmrig
behavioral1/files/0x0006000000015d8f-57.dat	xmrig
behavioral1/files/0x0006000000015e3a-63.dat	xmrig
behavioral1/files/0x0006000000015f6d-73.dat	xmrig
behavioral1/files/0x000600000001630b-89.dat	xmrig
behavioral1/files/0x00060000000164b2-93.dat	xmrig
behavioral1/files/0x00060000000161e7-85.dat	xmrig
behavioral1/files/0x0006000000016117-81.dat	xmrig
behavioral1/files/0x0006000000015fe9-77.dat	xmrig
behavioral1/files/0x0006000000015eaf-69.dat	xmrig
behavioral1/files/0x0006000000015d9b-61.dat	xmrig
behavioral1/memory/2392-34-0x000000013F880000-0x000000013FBD4000-memory.dmp	xmrig
behavioral1/memory/2552-102-0x000000013F420000-0x000000013F774000-memory.dmp	xmrig
behavioral1/memory/2724-110-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/2056-115-0x000000013F570000-0x000000013F8C4000-memory.dmp	xmrig
behavioral1/memory/1948-118-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/2620-116-0x000000013F570000-0x000000013F8C4000-memory.dmp	xmrig
behavioral1/memory/2568-120-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/memory/2056-123-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2604-127-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/2056-126-0x000000013F880000-0x000000013FBD4000-memory.dmp	xmrig
behavioral1/memory/2776-125-0x000000013F390000-0x000000013F6E4000-memory.dmp	xmrig
behavioral1/memory/2032-124-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2492-122-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2060-121-0x000000013F9C0000-0x000000013FD14000-memory.dmp	xmrig
behavioral1/memory/2468-119-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2140-114-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/2732-113-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2056-129-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/memory/2776-130-0x000000013F390000-0x000000013F6E4000-memory.dmp	xmrig
behavioral1/memory/2392-131-0x000000013F880000-0x000000013FBD4000-memory.dmp	xmrig
behavioral1/memory/2552-132-0x000000013F420000-0x000000013F774000-memory.dmp	xmrig
behavioral1/memory/2724-133-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/2604-135-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/2732-134-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2492-138-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/1948-137-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/2140-136-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/2620-140-0x000000013F570000-0x000000013F8C4000-memory.dmp	xmrig
behavioral1/memory/2568-139-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/memory/2060-142-0x000000013F9C0000-0x000000013FD14000-memory.dmp	xmrig
behavioral1/memory/2468-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2032-143-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2776	ugANaHi.exe
2392	WoERXDB.exe
2552	nVvBHhw.exe
2724	ekPhrzR.exe
2604	SVYoKgI.exe
2732	rViuXVP.exe
2140	XFpUjoo.exe
2620	IeTnUhP.exe
1948	YixCYSX.exe
2468	GBlFSuj.exe
2568	thuGTyu.exe
2060	qIJzTLK.exe
2492	eksiifC.exe
2032	FmmJDvD.exe
2536	QRhrYfZ.exe
2624	GuVABwR.exe
2980	fUIXESd.exe
3056	EETtwrN.exe
3012	FSYHUpz.exe
2180	isdfGms.exe
2708	uGBaVkU.exe

Loads dropped DLL 21 IoCs

pid	Process
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2056-0-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/files/0x000d000000014708-6.dat	upx
behavioral1/files/0x002f000000014b63-8.dat	upx
behavioral1/files/0x0008000000014f71-12.dat	upx
behavioral1/files/0x0007000000015653-17.dat	upx
behavioral1/files/0x0007000000015659-23.dat	upx
behavioral1/files/0x0007000000015661-30.dat	upx
behavioral1/files/0x000900000001567f-38.dat	upx
behavioral1/files/0x0007000000015d67-41.dat	upx
behavioral1/files/0x0006000000015d6f-45.dat	upx
behavioral1/files/0x0006000000015d79-49.dat	upx
behavioral1/files/0x0006000000015d87-53.dat	upx
behavioral1/files/0x0006000000015d8f-57.dat	upx
behavioral1/files/0x0006000000015e3a-63.dat	upx
behavioral1/files/0x0006000000015f6d-73.dat	upx
behavioral1/files/0x000600000001630b-89.dat	upx
behavioral1/files/0x00060000000164b2-93.dat	upx
behavioral1/files/0x00060000000161e7-85.dat	upx
behavioral1/files/0x0006000000016117-81.dat	upx
behavioral1/files/0x0006000000015fe9-77.dat	upx
behavioral1/files/0x0006000000015eaf-69.dat	upx
behavioral1/files/0x0006000000015d9b-61.dat	upx
behavioral1/memory/2392-34-0x000000013F880000-0x000000013FBD4000-memory.dmp	upx
behavioral1/memory/2552-102-0x000000013F420000-0x000000013F774000-memory.dmp	upx
behavioral1/memory/2724-110-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/memory/1948-118-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
behavioral1/memory/2620-116-0x000000013F570000-0x000000013F8C4000-memory.dmp	upx
behavioral1/memory/2568-120-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	upx
behavioral1/memory/2604-127-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/memory/2776-125-0x000000013F390000-0x000000013F6E4000-memory.dmp	upx
behavioral1/memory/2032-124-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/2492-122-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2060-121-0x000000013F9C0000-0x000000013FD14000-memory.dmp	upx
behavioral1/memory/2468-119-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/2140-114-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/memory/2732-113-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2056-129-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/memory/2776-130-0x000000013F390000-0x000000013F6E4000-memory.dmp	upx
behavioral1/memory/2392-131-0x000000013F880000-0x000000013FBD4000-memory.dmp	upx
behavioral1/memory/2552-132-0x000000013F420000-0x000000013F774000-memory.dmp	upx
behavioral1/memory/2724-133-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/memory/2604-135-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/memory/2732-134-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2492-138-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/1948-137-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
behavioral1/memory/2140-136-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/memory/2620-140-0x000000013F570000-0x000000013F8C4000-memory.dmp	upx
behavioral1/memory/2568-139-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	upx
behavioral1/memory/2060-142-0x000000013F9C0000-0x000000013FD14000-memory.dmp	upx
behavioral1/memory/2468-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/2032-143-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\XFpUjoo.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EETtwrN.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qIJzTLK.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FmmJDvD.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fUIXESd.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WoERXDB.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nVvBHhw.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rViuXVP.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GBlFSuj.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YixCYSX.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\thuGTyu.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eksiifC.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FSYHUpz.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ugANaHi.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ekPhrzR.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SVYoKgI.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IeTnUhP.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QRhrYfZ.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GuVABwR.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\isdfGms.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uGBaVkU.exe	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2776	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	29
PID 2056 wrote to memory of 2776	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	29
PID 2056 wrote to memory of 2776	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	29
PID 2056 wrote to memory of 2392	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	30
PID 2056 wrote to memory of 2392	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	30
PID 2056 wrote to memory of 2392	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	30
PID 2056 wrote to memory of 2552	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	31
PID 2056 wrote to memory of 2552	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	31
PID 2056 wrote to memory of 2552	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	31
PID 2056 wrote to memory of 2724	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	32
PID 2056 wrote to memory of 2724	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	32
PID 2056 wrote to memory of 2724	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	32
PID 2056 wrote to memory of 2604	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	33
PID 2056 wrote to memory of 2604	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	33
PID 2056 wrote to memory of 2604	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	33
PID 2056 wrote to memory of 2732	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	34
PID 2056 wrote to memory of 2732	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	34
PID 2056 wrote to memory of 2732	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	34
PID 2056 wrote to memory of 2140	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	35
PID 2056 wrote to memory of 2140	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	35
PID 2056 wrote to memory of 2140	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	35
PID 2056 wrote to memory of 2620	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	36
PID 2056 wrote to memory of 2620	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	36
PID 2056 wrote to memory of 2620	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	36
PID 2056 wrote to memory of 1948	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	37
PID 2056 wrote to memory of 1948	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	37
PID 2056 wrote to memory of 1948	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	37
PID 2056 wrote to memory of 2468	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	38
PID 2056 wrote to memory of 2468	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	38
PID 2056 wrote to memory of 2468	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	38
PID 2056 wrote to memory of 2568	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	39
PID 2056 wrote to memory of 2568	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	39
PID 2056 wrote to memory of 2568	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	39
PID 2056 wrote to memory of 2060	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	40
PID 2056 wrote to memory of 2060	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	40
PID 2056 wrote to memory of 2060	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	40
PID 2056 wrote to memory of 2492	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	41
PID 2056 wrote to memory of 2492	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	41
PID 2056 wrote to memory of 2492	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	41
PID 2056 wrote to memory of 2032	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	42
PID 2056 wrote to memory of 2032	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	42
PID 2056 wrote to memory of 2032	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	42
PID 2056 wrote to memory of 2536	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	43
PID 2056 wrote to memory of 2536	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	43
PID 2056 wrote to memory of 2536	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	43
PID 2056 wrote to memory of 2624	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	44
PID 2056 wrote to memory of 2624	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	44
PID 2056 wrote to memory of 2624	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	44
PID 2056 wrote to memory of 2980	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	45
PID 2056 wrote to memory of 2980	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	45
PID 2056 wrote to memory of 2980	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	45
PID 2056 wrote to memory of 3056	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	46
PID 2056 wrote to memory of 3056	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	46
PID 2056 wrote to memory of 3056	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	46
PID 2056 wrote to memory of 3012	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	47
PID 2056 wrote to memory of 3012	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	47
PID 2056 wrote to memory of 3012	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	47
PID 2056 wrote to memory of 2180	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	48
PID 2056 wrote to memory of 2180	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	48
PID 2056 wrote to memory of 2180	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	48
PID 2056 wrote to memory of 2708	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	49
PID 2056 wrote to memory of 2708	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	49
PID 2056 wrote to memory of 2708	2056	2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_012d7d7aba617660dc8fd939a0de7d65_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\System\ugANaHi.exe
  C:\Windows\System\ugANaHi.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\WoERXDB.exe
  C:\Windows\System\WoERXDB.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\nVvBHhw.exe
  C:\Windows\System\nVvBHhw.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\ekPhrzR.exe
  C:\Windows\System\ekPhrzR.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\SVYoKgI.exe
  C:\Windows\System\SVYoKgI.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\rViuXVP.exe
  C:\Windows\System\rViuXVP.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\XFpUjoo.exe
  C:\Windows\System\XFpUjoo.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\IeTnUhP.exe
  C:\Windows\System\IeTnUhP.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\YixCYSX.exe
  C:\Windows\System\YixCYSX.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\GBlFSuj.exe
  C:\Windows\System\GBlFSuj.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\thuGTyu.exe
  C:\Windows\System\thuGTyu.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\qIJzTLK.exe
  C:\Windows\System\qIJzTLK.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\eksiifC.exe
  C:\Windows\System\eksiifC.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\FmmJDvD.exe
  C:\Windows\System\FmmJDvD.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\QRhrYfZ.exe
  C:\Windows\System\QRhrYfZ.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\GuVABwR.exe
  C:\Windows\System\GuVABwR.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\fUIXESd.exe
  C:\Windows\System\fUIXESd.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\EETtwrN.exe
  C:\Windows\System\EETtwrN.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\FSYHUpz.exe
  C:\Windows\System\FSYHUpz.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\isdfGms.exe
  C:\Windows\System\isdfGms.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\uGBaVkU.exe
  C:\Windows\System\uGBaVkU.exe
  2⤵
  - Executes dropped EXE
  PID:2708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\EETtwrN.exe

Filesize
5.9MB

MD5
248f563b3b539f9c1ecc0a9d463721fd

SHA1
5031d9ab4e0f52d29357cc733fa792cecf04ca01

SHA256
8d4ab302affc4da1290f6e8ab3bcc37685da5e5686faf77f817c9ba5f15be4b6

SHA512
46ba1ab2a1a7ce6dac18acaf7135bd43762f01c98838fe27de1757ef684ec44e8cfc6465800da302ba7ddc244455652bf2b899843046cdbfa0e719ad370cb6df

Download Submit
C:\Windows\system\FSYHUpz.exe

Filesize
5.9MB

MD5
1e84ca046ce6ffdbe4abbeadf081be14

SHA1
48a8f919a6efb21903aef648562e6966ac772852

SHA256
8f2e205b0d24200f9409ae742278e9c936fd6b0df5d02cd833998bf86b7077e1

SHA512
2627857f91f45aa7db050e65f167385fdeb5ac5d37fcc87f4c2fd4ed938a0bf3ac2080b8aa88d69a7d4d76eda4fda864b10fa3e6415218c4e6c7dba19043aa15

Download Submit
C:\Windows\system\GBlFSuj.exe

Filesize
5.9MB

MD5
a9da488a58a45636b88ba94b04dfef5c

SHA1
f59f50df33e23708836697f555de15a5356888ae

SHA256
af01684a96d8fdcf5fdb92396b5875855010c2ca0490fc2346c2da2ff3b278e7

SHA512
0dad3292465e46ca03716f74e57f9b37f83c662cb4af7109ef353c3b3b68652ceddba75e8b47ad3b20d30854edd2442dd7e25cdcfda8cbbbb81141f8a5f8a6e5

Download Submit
C:\Windows\system\GuVABwR.exe

Filesize
5.9MB

MD5
be5154dae885132bd9163e6e71570585

SHA1
8d7b721b1445ef15bc9f6fa9521c620a65bb3909

SHA256
dc5b599476690e396e0a6a9686bc7eaf5e1f22747a8a299e66f8742203fb58a7

SHA512
a88fc852dd810cfc6d92e3d97502f5f5fda2ce8463d8950af00fe744ea47aecffdc57d96e551fcdfae226b6d461c6b3014dd6f0d7f8959a79455139fe33369a8

Download Submit
C:\Windows\system\IeTnUhP.exe

Filesize
5.9MB

MD5
e34eb3c1b2e299addd37f2f77b3648ac

SHA1
0b14dd673688766768bb9f41ffb1bae6a006f670

SHA256
4bd416d82df926044b8b495e2fb36c8ed5b8d118cbefd25e7ff5b5d7d5b021d0

SHA512
ff2a4e1b000194476fcedfb4a497d0925df45ad93857165f03a80d30716284718f50ccd15ff56cb6f0eb827bbb1c6478abc24e17fe3e5b88c6c4503a9fb68d0b

Download Submit
C:\Windows\system\QRhrYfZ.exe

Filesize
5.9MB

MD5
a1a1f6881678f22a7fe1ea8877c5d720

SHA1
be80c939d96533923f2bc9b981b5080d5ef5d6b2

SHA256
1c2dcad46a4e79e16a7781adc3da572f097bfcc8803beda3f5f1c4f9e58e6c1f

SHA512
e6073d1160e32ccdb1e0e5cfb1e29a22f0f6689122a1ed5eb602badd423c524b8f282745be5b26db327f1956eace62d20b7f1f89113afe79e64ce7c67f5c8d27

Download Submit
C:\Windows\system\XFpUjoo.exe

Filesize
5.9MB

MD5
7729e8d3032defa3102f1d7a6fe8c06d

SHA1
88d89a4a5dd4b6eb01067d34e3e0173ae1f480e8

SHA256
a54fbe419236e7fbe871318ca375b3102943449b0c48a9452514717991103fde

SHA512
2ab715f08b5b9fa9da50b5613f2f030fbea21d5ce157bc8339aa67b71b9c0a8fafabd5fae0393d4b340073c5b788e32c40d8934b063d5efded938688255c8d3e

Download Submit
C:\Windows\system\YixCYSX.exe

Filesize
5.9MB

MD5
0c1384f038e23b7adb6203706fe34b2e

SHA1
aca629081c4182141616f0b8937d6c4edf2066a1

SHA256
5b874e05eec10a977996199e1edbd15180439aa5be146df29644ce23111af230

SHA512
6cb00c0f35c245822bce45c42604473d05949a9b65555f5865051219cc98a8330ccd8a6f5b22c0954d683619f496ea62f8a486c40d0a0cc39c88027d9032c27e

Download Submit
C:\Windows\system\eksiifC.exe

Filesize
5.9MB

MD5
78c79b1fe5675bf383064f7753d9cd38

SHA1
745215c76ed7f8844054c72dc96b628b8e3fd833

SHA256
60e9aaba45fbefb3e469326c1940cecb15c17da3b4f3af40b75e7ef58c76ef9c

SHA512
8b25d1f63adfd6d5ddd69fffb996d97e0db7c46dcd61fcef932615b3d6b8e42bfd635dcfee778255fe733345617f2f2d63bad664162aad57ed145d6f0fed824a

Download Submit
C:\Windows\system\fUIXESd.exe

Filesize
5.9MB

MD5
c284f2d53989a5915abb11a286d327e9

SHA1
9f3d018286f2f6adce0bd553e48d0ef8fff9be83

SHA256
49a29f477c026cc8b18fdb93132f74b6b93eca48705dc4e7bafecbda1d646401

SHA512
9576d5c10d30b568454cdd91344d8798e8d3e63fb664f76a16ad379747228f573609320d88393b17fedae51990878c81a1b4d6c8edee2e3f75b8fe3dff71bfa2

Download Submit
C:\Windows\system\isdfGms.exe

Filesize
5.9MB

MD5
b1c0cbf3312db10380e137503f909a2e

SHA1
02896948a4617909ffc77cabf961e53f9836f6a6

SHA256
c5563df3f729ece03a9513c07ac38bbb6fd0baf3e43754f6fc20f8a27009a283

SHA512
d5f7b8621cdd2b9e90cb1aa9ee2685a0ad744353009eded27304ad7732ed1c23b7c8ea409fe4fc370aaf947a1bdf793a190c6d04d5c6ebd5814c78bee7a480dd

Download Submit
C:\Windows\system\qIJzTLK.exe

Filesize
5.9MB

MD5
57785674a23052952658530bd19fd7e9

SHA1
9a94c166e3209329608b87761612bca48cf1d9b1

SHA256
ba9a18f1fe7dbf93196337518a18c29360a213fed5a63e9ab63c47ff9ad3a016

SHA512
1bc07c3db32320aced790eddaf6c5c295595023cda0affce4245b3271f52900293b1ed882ca3e0430f46fa3cfd2186932398452c7a0e606137ba8da356b8e779

Download Submit
C:\Windows\system\rViuXVP.exe

Filesize
5.9MB

MD5
65b33a248d58b0ca904e65ea195a63d4

SHA1
78a193c79e5c00318fad7cd91191a4472cfc4d77

SHA256
6567acdb4c6ca5e7a925f85da35ff7b11f8bb9873ebc5252b95c130fe163c2c2

SHA512
1c958ea7a7d72436377d0a60132758fad94b1324496cf0e7605b3366ae21bc7956c05e57f4f422b3654a2738ade4f95a12eed48413ff592343358a170931f035

Download Submit
C:\Windows\system\thuGTyu.exe

Filesize
5.9MB

MD5
50def838cb17a1b0dbd8165e55c85c0d

SHA1
eac859a6aad7eac501d70e4e402cc3125ab16fac

SHA256
a818f521620c7c08318ca4bc78f7c7503dcbd432f003bc78e595c1d8b4c02ac4

SHA512
98f9ff5d2054b9f45a259b231855ff33fef47ff3ac14535207a2c065b48eb3dd09291a7c89af9361809627910a306d52425ca4f3c6342be93124d340c9f85292

Download Submit
C:\Windows\system\uGBaVkU.exe

Filesize
5.9MB

MD5
cbad39b87355c6c534a2a9e2cfff5134

SHA1
58f2b76635cec78e0ba081adf82aac514fb4b3fe

SHA256
102d3e53ea538888ad67930b27f2f31ce2b6152779790807c952814d8263d267

SHA512
afb252c58e772053660980d834cf75e2fbddcd92afb18c9e563f8f94054388c95fa3e915acc2612052d970fd61fdeb4c554d49a797c523f774350a56f03f22bf

Download Submit
C:\Windows\system\ugANaHi.exe

Filesize
5.9MB

MD5
5231ecf85e4883a0d33f187b699e43f9

SHA1
987b828002e5b15cd469b4e1ae07fed5e7f7c510

SHA256
7f95f0c022e61f17338e9d9e7666beb12393caadda05941c2918c1c05a78562f

SHA512
26a4b3b23076d78e0fbfb03214b468ebf2cf0cab2ef4f2bcd208d1a225ba44ee78e0bbb5103f43ed9ea2b1fd2c7c51ca05fb422f5257954235a43a2d171f5e29

Download Submit
\Windows\system\FmmJDvD.exe

Filesize
5.9MB

MD5
2f6338cdc480f6dfaa957421689d1466

SHA1
e78c2f09bffc985a1ec9171f7738d6870a50929b

SHA256
ad8162be5796c8649b25e5243f8121245aaefb064ef09fc7e4885c5173016615

SHA512
03642232408700d2c67697c54a7bf76c35b2170f04d7b7a15e76b08309f3e111c2df77b90b1186b9b09f164e3a4e92b07ce7f86130cf260e1f65bad945d8e592

Download Submit
\Windows\system\SVYoKgI.exe

Filesize
5.9MB

MD5
9a577f83242e403e6e9acce33189e722

SHA1
ad6cdf0b56bdc1e1691f23b55b935a8dc4fa7b03

SHA256
209c19a5db46d392382bf1957be98ccc5f81cf099ec10066854af7536de9e2b3

SHA512
f2c3c45817b8e84b636da9f230ca59ee8c9c65562208874f9b933e9ec7deb92a94e695557719aa9fce15ed4d64c5d96b763a4f78caa55dac4aa3646f7aa8ff8c

Download Submit
\Windows\system\WoERXDB.exe

Filesize
5.9MB

MD5
434128fb68957d65431bdb024d30ac25

SHA1
6a327e681d8b7582e25ca2d8cbb4d10631b518c6

SHA256
7e18e3672d0290ed387d1e8d4c84a4384d9cad7f92e81cb2b0b84d12c887059a

SHA512
52c9f9ca8f44a8e948c6ab2fa01d10d9216b349acdf07c8929055cd1104da9078664dc1c3da2935e09b463b5bda3b0c45e7e2e0d4e4d4c9335b440a52ebd97f7

Download Submit
\Windows\system\ekPhrzR.exe

Filesize
5.9MB

MD5
97f5b08370214369426882d4187ee75f

SHA1
fa6864297a037d8272784952421cc5ecaeaf2b71

SHA256
58e3a138d07193eace0f292430cbd78c141c6a81dc9312efab923d55752d0856

SHA512
b7f5735ab8155f9d09b44393ca841b3e5c510128bc4fbb6f7d914e5daf4d2a5e114b52b8afe45eb4332e1e5f1875c3d24a213dccfed6d691035963a172b3523c

Download Submit
\Windows\system\nVvBHhw.exe

Filesize
5.9MB

MD5
6c79d066aceedcfe2bcc1fba32d1f1ed

SHA1
a31b07c549272376b2d4088b2a338bc3318a0122

SHA256
59d216ece5b5786cfbbdd7324ba7901b0d5690d548cb99e3d6907ddea423f540

SHA512
62860ca8c47eb1e1607cb0e1c84d0f875414ecf073d0e14777b08c86ea4ffcabd6a3cfbc028438667709e72cb3171d815b08a7ebf677b8789eff72c32c7be62a

Download Submit
memory/1948-137-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/1948-118-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2032-143-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2032-124-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2056-115-0x000000013F570000-0x000000013F8C4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-123-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2056-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2056-112-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2056-0-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2056-117-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/2056-129-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2056-126-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-20-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-111-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-128-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-142-0x000000013F9C0000-0x000000013FD14000-memory.dmp

Filesize
3.3MB

Download
memory/2060-121-0x000000013F9C0000-0x000000013FD14000-memory.dmp

Filesize
3.3MB

Download
memory/2140-136-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2140-114-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2392-131-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2392-34-0x000000013F880000-0x000000013FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2468-119-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2468-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2492-138-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2492-122-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2552-102-0x000000013F420000-0x000000013F774000-memory.dmp

Filesize
3.3MB

Download
memory/2552-132-0x000000013F420000-0x000000013F774000-memory.dmp

Filesize
3.3MB

Download
memory/2568-139-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2568-120-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2604-127-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2604-135-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2620-140-0x000000013F570000-0x000000013F8C4000-memory.dmp

Filesize
3.3MB

Download
memory/2620-116-0x000000013F570000-0x000000013F8C4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-133-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-110-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-134-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2732-113-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2776-130-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2776-125-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download