cobaltstrike | 0cea98aa56189ccc85bdb3a252b6adbe7556a6f600499826e67b487be2e1c2f1

Analysis

max time kernel
138s
max time network
147s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

6559d04b9bf2fafd9a442c8d2142a22a
SHA1

f565c01f71a5af87e138a93462f53d842c4180de
SHA256

0cea98aa56189ccc85bdb3a252b6adbe7556a6f600499826e67b487be2e1c2f1
SHA512

0ae4afcb4404fa40917fa2ffd67ab0277e5dd5607a52671d0092f790487af7211fc5516eae375fdf597a5006b151a7f2973048b6f844a58b0a8ad1665864dc6c
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUm:T+856utgpPF8u/7m

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b00000001472f-5.dat	cobalt_reflective_dll
behavioral1/files/0x0030000000014f57-6.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000153ee-21.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001565a-24.dat	cobalt_reflective_dll
behavioral1/files/0x003000000001507a-30.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000158d9-38.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015662-42.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015ae3-51.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d85-72.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016013-86.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000164ec-105.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000167bf-115.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d9c-68.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000163eb-128.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016a28-118.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016575-108.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000161ee-99.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016122-91.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015fa6-77.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015b85-63.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015f23-85.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001472f-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0030000000014f57-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00080000000153ee-21.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001565a-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x003000000001507a-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000158d9-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015662-42.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015ae3-51.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d85-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016013-86.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000164ec-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000167bf-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d9c-68.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000163eb-128.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016a28-118.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016575-108.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000161ee-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016122-91.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015fa6-77.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015b85-63.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015f23-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 51 IoCs

resource	yara_rule
behavioral1/memory/2552-0-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/files/0x000b00000001472f-5.dat	UPX
behavioral1/files/0x0030000000014f57-6.dat	UPX
behavioral1/memory/2476-15-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
behavioral1/files/0x00080000000153ee-21.dat	UPX
behavioral1/memory/2624-22-0x000000013F8F0000-0x000000013FC44000-memory.dmp	UPX
behavioral1/memory/2572-19-0x000000013F040000-0x000000013F394000-memory.dmp	UPX
behavioral1/files/0x000700000001565a-24.dat	UPX
behavioral1/memory/2656-29-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX
behavioral1/files/0x003000000001507a-30.dat	UPX
behavioral1/files/0x00070000000158d9-38.dat	UPX
behavioral1/files/0x0007000000015662-42.dat	UPX
behavioral1/memory/2364-50-0x000000013FDB0000-0x0000000140104000-memory.dmp	UPX
behavioral1/memory/2424-49-0x000000013FBC0000-0x000000013FF14000-memory.dmp	UPX
behavioral1/memory/2628-47-0x000000013FBE0000-0x000000013FF34000-memory.dmp	UPX
behavioral1/files/0x0007000000015ae3-51.dat	UPX
behavioral1/memory/2476-58-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
behavioral1/memory/2880-59-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/memory/2552-57-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/files/0x0007000000015d85-72.dat	UPX
behavioral1/files/0x0006000000016013-86.dat	UPX
behavioral1/files/0x00060000000164ec-105.dat	UPX
behavioral1/files/0x00060000000167bf-115.dat	UPX
behavioral1/files/0x0006000000015d9c-68.dat	UPX
behavioral1/files/0x00060000000163eb-128.dat	UPX
behavioral1/files/0x0006000000016a28-118.dat	UPX
behavioral1/files/0x0006000000016575-108.dat	UPX
behavioral1/memory/2624-104-0x000000013F8F0000-0x000000013FC44000-memory.dmp	UPX
behavioral1/files/0x00060000000161ee-99.dat	UPX
behavioral1/files/0x0006000000016122-91.dat	UPX
behavioral1/memory/1488-80-0x000000013F9C0000-0x000000013FD14000-memory.dmp	UPX
behavioral1/files/0x0006000000015fa6-77.dat	UPX
behavioral1/files/0x0009000000015b85-63.dat	UPX
behavioral1/memory/2244-88-0x000000013FD10000-0x0000000140064000-memory.dmp	UPX
behavioral1/files/0x0006000000015f23-85.dat	UPX
behavioral1/memory/2356-84-0x000000013FE20000-0x0000000140174000-memory.dmp	UPX
behavioral1/memory/2656-134-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX
behavioral1/memory/2692-136-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/memory/2244-137-0x000000013FD10000-0x0000000140064000-memory.dmp	UPX
behavioral1/memory/2476-140-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
behavioral1/memory/2572-141-0x000000013F040000-0x000000013F394000-memory.dmp	UPX
behavioral1/memory/2624-142-0x000000013F8F0000-0x000000013FC44000-memory.dmp	UPX
behavioral1/memory/2656-143-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX
behavioral1/memory/2628-144-0x000000013FBE0000-0x000000013FF34000-memory.dmp	UPX
behavioral1/memory/2424-146-0x000000013FBC0000-0x000000013FF14000-memory.dmp	UPX
behavioral1/memory/2364-145-0x000000013FDB0000-0x0000000140104000-memory.dmp	UPX
behavioral1/memory/2880-147-0x000000013FBB0000-0x000000013FF04000-memory.dmp	UPX
behavioral1/memory/2356-148-0x000000013FE20000-0x0000000140174000-memory.dmp	UPX
behavioral1/memory/1488-149-0x000000013F9C0000-0x000000013FD14000-memory.dmp	UPX
behavioral1/memory/2244-150-0x000000013FD10000-0x0000000140064000-memory.dmp	UPX
behavioral1/memory/2692-151-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX

XMRig Miner payload 55 IoCs

miner

resource	yara_rule
behavioral1/memory/2552-0-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/files/0x000b00000001472f-5.dat	xmrig
behavioral1/files/0x0030000000014f57-6.dat	xmrig
behavioral1/memory/2476-15-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/files/0x00080000000153ee-21.dat	xmrig
behavioral1/memory/2624-22-0x000000013F8F0000-0x000000013FC44000-memory.dmp	xmrig
behavioral1/memory/2552-20-0x000000013F040000-0x000000013F394000-memory.dmp	xmrig
behavioral1/memory/2572-19-0x000000013F040000-0x000000013F394000-memory.dmp	xmrig
behavioral1/files/0x000700000001565a-24.dat	xmrig
behavioral1/memory/2656-29-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/files/0x003000000001507a-30.dat	xmrig
behavioral1/files/0x00070000000158d9-38.dat	xmrig
behavioral1/files/0x0007000000015662-42.dat	xmrig
behavioral1/memory/2364-50-0x000000013FDB0000-0x0000000140104000-memory.dmp	xmrig
behavioral1/memory/2424-49-0x000000013FBC0000-0x000000013FF14000-memory.dmp	xmrig
behavioral1/memory/2628-47-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
behavioral1/files/0x0007000000015ae3-51.dat	xmrig
behavioral1/memory/2476-58-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/2880-59-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2552-57-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d85-72.dat	xmrig
behavioral1/files/0x0006000000016013-86.dat	xmrig
behavioral1/files/0x00060000000164ec-105.dat	xmrig
behavioral1/files/0x00060000000167bf-115.dat	xmrig
behavioral1/files/0x0006000000015d9c-68.dat	xmrig
behavioral1/files/0x00060000000163eb-128.dat	xmrig
behavioral1/files/0x0006000000016a28-118.dat	xmrig
behavioral1/memory/2552-111-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2552-110-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016575-108.dat	xmrig
behavioral1/memory/2624-104-0x000000013F8F0000-0x000000013FC44000-memory.dmp	xmrig
behavioral1/files/0x00060000000161ee-99.dat	xmrig
behavioral1/files/0x0006000000016122-91.dat	xmrig
behavioral1/memory/1488-80-0x000000013F9C0000-0x000000013FD14000-memory.dmp	xmrig
behavioral1/files/0x0006000000015fa6-77.dat	xmrig
behavioral1/memory/2552-64-0x00000000023B0000-0x0000000002704000-memory.dmp	xmrig
behavioral1/files/0x0009000000015b85-63.dat	xmrig
behavioral1/memory/2244-88-0x000000013FD10000-0x0000000140064000-memory.dmp	xmrig
behavioral1/files/0x0006000000015f23-85.dat	xmrig
behavioral1/memory/2356-84-0x000000013FE20000-0x0000000140174000-memory.dmp	xmrig
behavioral1/memory/2656-134-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2692-136-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/2244-137-0x000000013FD10000-0x0000000140064000-memory.dmp	xmrig
behavioral1/memory/2476-140-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/2572-141-0x000000013F040000-0x000000013F394000-memory.dmp	xmrig
behavioral1/memory/2624-142-0x000000013F8F0000-0x000000013FC44000-memory.dmp	xmrig
behavioral1/memory/2656-143-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2628-144-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
behavioral1/memory/2424-146-0x000000013FBC0000-0x000000013FF14000-memory.dmp	xmrig
behavioral1/memory/2364-145-0x000000013FDB0000-0x0000000140104000-memory.dmp	xmrig
behavioral1/memory/2880-147-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2356-148-0x000000013FE20000-0x0000000140174000-memory.dmp	xmrig
behavioral1/memory/1488-149-0x000000013F9C0000-0x000000013FD14000-memory.dmp	xmrig
behavioral1/memory/2244-150-0x000000013FD10000-0x0000000140064000-memory.dmp	xmrig
behavioral1/memory/2692-151-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2476	yzMXiLt.exe
2572	QPCpYIO.exe
2624	ufAcGZR.exe
2656	EYbokgL.exe
2628	SGmXyIj.exe
2424	iCzuzSr.exe
2364	SYxzNbY.exe
2880	wqcYwGk.exe
1488	SseflJs.exe
2356	pCyOQep.exe
2692	vXfXegn.exe
2244	YIynPqy.exe
2260	NkpvToI.exe
2084	aDcrJkX.exe
2652	roCKOXA.exe
644	KzSANtj.exe
2912	kiMizdC.exe
1628	zkQWLPc.exe
2292	WYGTyfB.exe
2248	dZkoVXn.exe
1332	lAHLnBS.exe

Loads dropped DLL 21 IoCs

pid	Process
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2552-0-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/files/0x000b00000001472f-5.dat	upx
behavioral1/files/0x0030000000014f57-6.dat	upx
behavioral1/memory/2476-15-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/files/0x00080000000153ee-21.dat	upx
behavioral1/memory/2624-22-0x000000013F8F0000-0x000000013FC44000-memory.dmp	upx
behavioral1/memory/2572-19-0x000000013F040000-0x000000013F394000-memory.dmp	upx
behavioral1/files/0x000700000001565a-24.dat	upx
behavioral1/memory/2656-29-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/files/0x003000000001507a-30.dat	upx
behavioral1/files/0x00070000000158d9-38.dat	upx
behavioral1/files/0x0007000000015662-42.dat	upx
behavioral1/memory/2364-50-0x000000013FDB0000-0x0000000140104000-memory.dmp	upx
behavioral1/memory/2424-49-0x000000013FBC0000-0x000000013FF14000-memory.dmp	upx
behavioral1/memory/2628-47-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/files/0x0007000000015ae3-51.dat	upx
behavioral1/memory/2476-58-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/memory/2880-59-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2552-57-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/files/0x0007000000015d85-72.dat	upx
behavioral1/files/0x0006000000016013-86.dat	upx
behavioral1/files/0x00060000000164ec-105.dat	upx
behavioral1/files/0x00060000000167bf-115.dat	upx
behavioral1/files/0x0006000000015d9c-68.dat	upx
behavioral1/files/0x00060000000163eb-128.dat	upx
behavioral1/files/0x0006000000016a28-118.dat	upx
behavioral1/files/0x0006000000016575-108.dat	upx
behavioral1/memory/2624-104-0x000000013F8F0000-0x000000013FC44000-memory.dmp	upx
behavioral1/files/0x00060000000161ee-99.dat	upx
behavioral1/files/0x0006000000016122-91.dat	upx
behavioral1/memory/1488-80-0x000000013F9C0000-0x000000013FD14000-memory.dmp	upx
behavioral1/files/0x0006000000015fa6-77.dat	upx
behavioral1/memory/2552-64-0x00000000023B0000-0x0000000002704000-memory.dmp	upx
behavioral1/files/0x0009000000015b85-63.dat	upx
behavioral1/memory/2244-88-0x000000013FD10000-0x0000000140064000-memory.dmp	upx
behavioral1/files/0x0006000000015f23-85.dat	upx
behavioral1/memory/2356-84-0x000000013FE20000-0x0000000140174000-memory.dmp	upx
behavioral1/memory/2656-134-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2692-136-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/2244-137-0x000000013FD10000-0x0000000140064000-memory.dmp	upx
behavioral1/memory/2476-140-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/memory/2572-141-0x000000013F040000-0x000000013F394000-memory.dmp	upx
behavioral1/memory/2624-142-0x000000013F8F0000-0x000000013FC44000-memory.dmp	upx
behavioral1/memory/2656-143-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2628-144-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/memory/2424-146-0x000000013FBC0000-0x000000013FF14000-memory.dmp	upx
behavioral1/memory/2364-145-0x000000013FDB0000-0x0000000140104000-memory.dmp	upx
behavioral1/memory/2880-147-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2356-148-0x000000013FE20000-0x0000000140174000-memory.dmp	upx
behavioral1/memory/1488-149-0x000000013F9C0000-0x000000013FD14000-memory.dmp	upx
behavioral1/memory/2244-150-0x000000013FD10000-0x0000000140064000-memory.dmp	upx
behavioral1/memory/2692-151-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\yzMXiLt.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SYxzNbY.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wqcYwGk.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SseflJs.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dZkoVXn.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lAHLnBS.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aDcrJkX.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KzSANtj.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QPCpYIO.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SGmXyIj.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iCzuzSr.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pCyOQep.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kiMizdC.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NkpvToI.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ufAcGZR.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\roCKOXA.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YIynPqy.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EYbokgL.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vXfXegn.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zkQWLPc.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WYGTyfB.exe	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2476	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	29
PID 2552 wrote to memory of 2476	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	29
PID 2552 wrote to memory of 2476	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	29
PID 2552 wrote to memory of 2572	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	30
PID 2552 wrote to memory of 2572	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	30
PID 2552 wrote to memory of 2572	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	30
PID 2552 wrote to memory of 2624	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	31
PID 2552 wrote to memory of 2624	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	31
PID 2552 wrote to memory of 2624	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	31
PID 2552 wrote to memory of 2656	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	32
PID 2552 wrote to memory of 2656	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	32
PID 2552 wrote to memory of 2656	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	32
PID 2552 wrote to memory of 2628	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	33
PID 2552 wrote to memory of 2628	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	33
PID 2552 wrote to memory of 2628	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	33
PID 2552 wrote to memory of 2424	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	34
PID 2552 wrote to memory of 2424	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	34
PID 2552 wrote to memory of 2424	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	34
PID 2552 wrote to memory of 2364	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	35
PID 2552 wrote to memory of 2364	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	35
PID 2552 wrote to memory of 2364	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	35
PID 2552 wrote to memory of 2880	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	36
PID 2552 wrote to memory of 2880	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	36
PID 2552 wrote to memory of 2880	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	36
PID 2552 wrote to memory of 1488	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	37
PID 2552 wrote to memory of 1488	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	37
PID 2552 wrote to memory of 1488	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	37
PID 2552 wrote to memory of 2356	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	38
PID 2552 wrote to memory of 2356	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	38
PID 2552 wrote to memory of 2356	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	38
PID 2552 wrote to memory of 2652	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	39
PID 2552 wrote to memory of 2652	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	39
PID 2552 wrote to memory of 2652	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	39
PID 2552 wrote to memory of 2692	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	40
PID 2552 wrote to memory of 2692	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	40
PID 2552 wrote to memory of 2692	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	40
PID 2552 wrote to memory of 2912	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	41
PID 2552 wrote to memory of 2912	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	41
PID 2552 wrote to memory of 2912	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	41
PID 2552 wrote to memory of 2244	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	42
PID 2552 wrote to memory of 2244	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	42
PID 2552 wrote to memory of 2244	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	42
PID 2552 wrote to memory of 1628	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	43
PID 2552 wrote to memory of 1628	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	43
PID 2552 wrote to memory of 1628	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	43
PID 2552 wrote to memory of 2260	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	44
PID 2552 wrote to memory of 2260	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	44
PID 2552 wrote to memory of 2260	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	44
PID 2552 wrote to memory of 2292	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	45
PID 2552 wrote to memory of 2292	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	45
PID 2552 wrote to memory of 2292	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	45
PID 2552 wrote to memory of 2084	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	46
PID 2552 wrote to memory of 2084	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	46
PID 2552 wrote to memory of 2084	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	46
PID 2552 wrote to memory of 2248	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	47
PID 2552 wrote to memory of 2248	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	47
PID 2552 wrote to memory of 2248	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	47
PID 2552 wrote to memory of 644	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	48
PID 2552 wrote to memory of 644	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	48
PID 2552 wrote to memory of 644	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	48
PID 2552 wrote to memory of 1332	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	49
PID 2552 wrote to memory of 1332	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	49
PID 2552 wrote to memory of 1332	2552	2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_6559d04b9bf2fafd9a442c8d2142a22a_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\System\yzMXiLt.exe
  C:\Windows\System\yzMXiLt.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System\QPCpYIO.exe
  C:\Windows\System\QPCpYIO.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\ufAcGZR.exe
  C:\Windows\System\ufAcGZR.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\EYbokgL.exe
  C:\Windows\System\EYbokgL.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\SGmXyIj.exe
  C:\Windows\System\SGmXyIj.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\iCzuzSr.exe
  C:\Windows\System\iCzuzSr.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\SYxzNbY.exe
  C:\Windows\System\SYxzNbY.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\wqcYwGk.exe
  C:\Windows\System\wqcYwGk.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\SseflJs.exe
  C:\Windows\System\SseflJs.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\pCyOQep.exe
  C:\Windows\System\pCyOQep.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\roCKOXA.exe
  C:\Windows\System\roCKOXA.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\vXfXegn.exe
  C:\Windows\System\vXfXegn.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\kiMizdC.exe
  C:\Windows\System\kiMizdC.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\YIynPqy.exe
  C:\Windows\System\YIynPqy.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\zkQWLPc.exe
  C:\Windows\System\zkQWLPc.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\NkpvToI.exe
  C:\Windows\System\NkpvToI.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System\WYGTyfB.exe
  C:\Windows\System\WYGTyfB.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\aDcrJkX.exe
  C:\Windows\System\aDcrJkX.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\dZkoVXn.exe
  C:\Windows\System\dZkoVXn.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System\KzSANtj.exe
  C:\Windows\System\KzSANtj.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\System\lAHLnBS.exe
  C:\Windows\System\lAHLnBS.exe
  2⤵
  - Executes dropped EXE
  PID:1332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\NkpvToI.exe

Filesize
5.9MB

MD5
84abf6f22d8abaf0513d772f61193934

SHA1
57d66bff4b84233fbcb74f11d4d09ce79e78c659

SHA256
08bd4fd369ac6a3ffdb83b92e84af0cf743546bbb1f8d87f0625e723b244c1bd

SHA512
3c1ad79a0029933d9a8f95ce7e7b0134c2f84986727c572d16e9148c5eb5ed34c1fce885e277f8c51bbc3aea58f7ac7779a43af34b28c0e3246ffe1895a99194

Download Submit
C:\Windows\system\QPCpYIO.exe

Filesize
5.9MB

MD5
6e41be4af3c327ac3bdaf703decfcd63

SHA1
e332c334974572b1bdd0c58092a3369e8ba2718e

SHA256
8f4360e4404b4c41eb8c7c08157fce875c2a902a10188d3ecef36a7cd5265a48

SHA512
36097fffda9e672fa9d04652dc6622c88226f545aaf60326237a67eadc1a408cd8ee482eb1956f6e2673e904dfedea5ca51e11054f9c8058da9b7b8e064f5e79

Download Submit
C:\Windows\system\SseflJs.exe

Filesize
5.9MB

MD5
4a6604641df806704160f14787d8fc5a

SHA1
87f15f201c7e3dafcd0674f025d52511320b04d7

SHA256
0384f05c1e97e234d042b5901937e7902a08caaf98b00941e599a4fc293531dd

SHA512
083d9bf73afee1db973fd8413e1168cad59f5f442c7124e748ed440a33d3d61b3a6a28fa85617f6803f9e80a09c2c442164519a2fa8037ef9b5a63e330391b83

Download Submit
C:\Windows\system\WYGTyfB.exe

Filesize
5.9MB

MD5
d29943158f6d9f3041af3ba35620edc1

SHA1
4364f1a4e5722bee645aa5a326a79d9e0af33023

SHA256
cd317e24cd77cf65c0ad9c7817619f214c550b127658606be18e4057490b68cc

SHA512
285d9f6c8b8c7a3a351eee8fb5d46acd43e9dee8d2b2f949e20c6ef3ac6ec2ead42c09a6872ad82120f4c9f75a4be9aecef216d3ab27c396b4e6a758e4f5f1ed

Download Submit
C:\Windows\system\YIynPqy.exe

Filesize
5.9MB

MD5
52c7f018a98c7e7aeaa8bf069b7105a0

SHA1
4ae5585565fb6f876ab49630cf3eaaa8dee5f86d

SHA256
cb02e1963c4ebe056094b3d3b92fa55bd7b1c7b10c9240ad37cc4f54c84f6eb8

SHA512
3c9e08461c40ce64c8000fc46a0e5f30744e03755d4695c787d45a63fff35dd5b367174d9db9863afd6f4fbbca8ac693f06baee681338ff7927fae34bb8d312e

Download Submit
C:\Windows\system\iCzuzSr.exe

Filesize
5.9MB

MD5
8107e7f19d57efd7657943d14b71e7fd

SHA1
b46148a4b7149804f74fdf75a67bde1b7c12d2eb

SHA256
12c5aaf245c1af151f692e01463fbd53060ccda922f05a686c9059000d1e83cc

SHA512
1d4c32ac29aaa4aef0d4d6ab91236cecb003d4905f1c09fbdd61aec22013c5bbb3726c87334eda9867432a61abe9f8526ff400774cb896c0f112be565323d9a2

Download Submit
C:\Windows\system\pCyOQep.exe

Filesize
5.9MB

MD5
e13d6f924b449926d9247bb16d6275eb

SHA1
1b774b8aa9a808ac6a50ffd2d0ed4261911910de

SHA256
b02a671956900c8deff02ea48a649ebee308a1aea8adbecd6f33aa1382413f27

SHA512
ab8e5b5a4a18b8ca7f83c6e96776054999d6f381f1ea8f3e9964819896f1959298ca29c189c60465eede2247903619fd4191876fe4d678fa9586250c930768e0

Download Submit
C:\Windows\system\ufAcGZR.exe

Filesize
5.9MB

MD5
525779d4e635c8a699a16b179991b9fd

SHA1
8c7040b2a7d05bf4a1ba0bc03bdaf9645ed49eb2

SHA256
25c124665bb06576aad978272f9c3f6a930b6044f98d9b6c61b9ecd76832e7d3

SHA512
7f130fca35dfd1b4fc31f0d9233cd66394b150dff3f4f7463df5928bd6f22ed53086caa5a3db239ff60280d18fd3896a1489ec420b3ee17f500dc090e530f51c

Download Submit
C:\Windows\system\vXfXegn.exe

Filesize
5.9MB

MD5
7f536c787257ffdd5a51868983d859c6

SHA1
3d62e25a99045022d52a36f5befa9cf1a6dcb499

SHA256
83f53f6e09c706bfdd9d0c3f9027458cc0c93917e9bd532413fbf8e352a24259

SHA512
a5c077360131a085807bcc1686d4f7c988e0c40ad20e718b67f03dd43c1bc89768a9759d18f8dce541f87fbc4b4432a26dfaee4c0b315f32e3d2ee803115a2da

Download Submit
C:\Windows\system\yzMXiLt.exe

Filesize
5.9MB

MD5
22be9506a37d71337980acc2cbdc0858

SHA1
3a6f64b476eef1fec7f324b1bbfefc716669a46a

SHA256
3ee77ba803de536343f525aea3ac808e16a87209cbbf974d944e3879c659f801

SHA512
a1286c6bf5872b6029a2870c882e41c3476416770da2b52b61a76cbb4db3ee9139b8723ff8730df7d495e7e284ae9e7b2eda41a8652d692072486a57be0fb237

Download Submit
\Windows\system\EYbokgL.exe

Filesize
5.9MB

MD5
1754b5e02bacac41c85d22e2141feb67

SHA1
320be7f0783ebd69c1f953516ad9201975425f7c

SHA256
17fc3fa966722111014b90eb57d05cc9613c868b1ced14f658eb1c76dbc28fea

SHA512
6b15169e4ea0eb31f0b68674263a847bea97ceaa059b907851389b73f2cf1bd1c7df9de1110bd4adb66c6922aa0b7ac8dad8aaff4d5517fcc71178d6ce96a527

Download Submit
\Windows\system\KzSANtj.exe

Filesize
5.9MB

MD5
34bc5e583bb833981cd05f08cf8be1ef

SHA1
0754a824b3625dec1f66ebdb83bd14169b4de93a

SHA256
4b90d8854dba6e384abb1e4de6f17745fa9a72296dfdfc3652279590cdf48586

SHA512
89d539c60e960476144078bee3273b79a493546cc25e5c9cd3cb864faff8483006f8384cd427dbc2abbaeda5530712fe92720d9342b989464b6c124b98c0bd7b

Download Submit
\Windows\system\SGmXyIj.exe

Filesize
5.9MB

MD5
b35f1c932e66311fa86f257036764c66

SHA1
b9abcd93e21ebce51dbcbb264168c11d950b5f48

SHA256
9f8495dac61a597163fd6fc6ebe4e7eaf41f7a6386d907d4b5c2e4acb4456d35

SHA512
679102113090aff40af524e00e8eaa0c27d2ab6df2f4966eb9aefc3a996353a46f858317fc6dd52ad8ddce4f762e1c6c1c5f42df497dc87b54f63a499734c353

Download Submit
\Windows\system\SYxzNbY.exe

Filesize
5.9MB

MD5
100fb54dd31f219838aa130e61ca6a74

SHA1
97cf17a5e71b9375cb83b66a08995a8dae8370e1

SHA256
017bb448e57ac768633af5c2b3978cf4d02eeae50a439213a0318dbefbf6e00d

SHA512
2adebf5527c1d45b12234944eecf5930853497b65988ff36abceaff04a0dd9c5e9888766549b6a0da0774527963fb2d16e1c4b2b25775517a025efeff68f45f9

Download Submit
\Windows\system\aDcrJkX.exe

Filesize
5.9MB

MD5
5d623efee1b3b48ed8d8850427aa4248

SHA1
4cab4323c0cd4beb7c2ece2edd96330d70061d61

SHA256
d7d90a4000fe1ddac48cc433097d78489b5dd958d85698f4d7f7f78ea356ecc6

SHA512
71875fd29bc3541d498ca03b6a9a53c33a0e6d6094a9149d1e6e15c234be7a911a594b3b6da24d391fa80f996909d92b97a7b4874cc59fcd7b8e176475e06ae3

Download Submit
\Windows\system\dZkoVXn.exe

Filesize
5.9MB

MD5
0b588b72211f4fd0c7545552b92063ae

SHA1
6eaec034f52e6fc2e7bc1085b5beee4db5f1bcab

SHA256
393c505d330b3acfc151aead99ede7e2eaa5b627413ac4c30332f057b3d0c93e

SHA512
4dc6a008ba5ab5d8b15a7aa2ca1007575991ed61044a323713140a417f88dd1b6f501059be90d47d65ab25083894fca08596a49d836f891c32eefefab3151ab8

Download Submit
\Windows\system\kiMizdC.exe

Filesize
5.9MB

MD5
552bd6199625b605c4439ce331e546aa

SHA1
0b4acd2affbf854d295f7a8256197fb187e3a4e0

SHA256
9fbbb3f3bfad3db180cf9a204fe8d772f3845a238313322075e97e95ec900bee

SHA512
68daa8b13cc1996a5ece9272c7e6c16166440582bad3cf1dce58c7affc1c54700c15a6075ff2db8f5c5e2f4169d50e9b59a26af498648efc6989aa8144788627

Download Submit
\Windows\system\lAHLnBS.exe

Filesize
5.9MB

MD5
549c175fe9ea5546abf2ad361a6602c1

SHA1
50d180d1d4b05bf5d7923b930bf669849511395b

SHA256
7985ff1778dbf43ba05367353000c5ffc35f1c3ef73897a60e823042bf165b24

SHA512
be915f799033a90c658a84bb3dfeb9691728d47cfa93bb4f552a0ef6e8859e39818e95cae36e2a548521e64054013e656e6eb4cacb5e086a4ce989c88fd0b4cf

Download Submit
\Windows\system\roCKOXA.exe

Filesize
5.9MB

MD5
5abb45aaf6a5ba186668a289b7c2cb09

SHA1
80874a4ab6e6a87127ae3443bc26736e596dde0a

SHA256
103aea8806986ae9bf9e0998ead3056f3661cdea942a8bf2dc92538e56ec1953

SHA512
57c5e73caeaa05293ea83c559354ce67d9dca28a8ffa87d698750295c51b61804a08203f703273789164de5e08368da3609e3b58838cebf584b6ead21e8cedd8

Download Submit
\Windows\system\wqcYwGk.exe

Filesize
5.9MB

MD5
7044a1e37fdb012a4636281d363cccaa

SHA1
61ccf486db621e19fddc421fa11a3904e4160608

SHA256
0493a7f2f83670d176f26e6963d9b72f6e935fd97ac27fa28f46eeb2029ca907

SHA512
3678e30917466208ed4af4dc3a7b22cf03cbe2f96495a0d105a8067bbf6ec991b5be89af1e880cc48f23bf6625b4d8b7eaa31bf0819dad25328d8ca3aa09f8ee

Download Submit
\Windows\system\zkQWLPc.exe

Filesize
5.9MB

MD5
1bb2e4250737c229e92eb4467de1f153

SHA1
2b8a02cf412ba9c9aa2c776987fc81f8116f1a51

SHA256
1abf03139352fbe6986ce2c659694c234c8a88d7b36d3615b632b9232409af61

SHA512
6ef80bbf049597830dee41bc515b4ac630d788e7b2317a9c24dce3992ee0b2b63d640d40c2421aab3e4e38a0bd92e4ea608c742bbe9576b10554d7438a0f1ab0

Download Submit
memory/1488-80-0x000000013F9C0000-0x000000013FD14000-memory.dmp

Filesize
3.3MB

Download
memory/1488-149-0x000000013F9C0000-0x000000013FD14000-memory.dmp

Filesize
3.3MB

Download
memory/2244-137-0x000000013FD10000-0x0000000140064000-memory.dmp

Filesize
3.3MB

Download
memory/2244-88-0x000000013FD10000-0x0000000140064000-memory.dmp

Filesize
3.3MB

Download
memory/2244-150-0x000000013FD10000-0x0000000140064000-memory.dmp

Filesize
3.3MB

Download
memory/2356-148-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/2356-84-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/2364-50-0x000000013FDB0000-0x0000000140104000-memory.dmp

Filesize
3.3MB

Download
memory/2364-145-0x000000013FDB0000-0x0000000140104000-memory.dmp

Filesize
3.3MB

Download
memory/2424-146-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/2424-49-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/2476-140-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2476-58-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2476-15-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2552-111-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2552-90-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/2552-18-0x000000013F8F0000-0x000000013FC44000-memory.dmp

Filesize
3.3MB

Download
memory/2552-100-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/2552-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2552-55-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2552-57-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2552-0-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2552-64-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/2552-43-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/2552-96-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/2552-110-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2552-7-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/2552-48-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/2552-33-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/2552-139-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/2552-135-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/2552-20-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/2552-138-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2572-19-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/2572-141-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/2624-22-0x000000013F8F0000-0x000000013FC44000-memory.dmp

Filesize
3.3MB

Download
memory/2624-104-0x000000013F8F0000-0x000000013FC44000-memory.dmp

Filesize
3.3MB

Download
memory/2624-142-0x000000013F8F0000-0x000000013FC44000-memory.dmp

Filesize
3.3MB

Download
memory/2628-144-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/2628-47-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/2656-143-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2656-29-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2656-134-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2692-136-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2692-151-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2880-147-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2880-59-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download