cobaltstrike | ee296b4d4c9b1033637572ee9c8a544e6e9bfeca2ef255ac180987c3efd2417e

Analysis

max time kernel
136s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/06/2024, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

b16cc90b62e45626102f436e52ddd03c
SHA1

2965ede39a97f11a54260f533adccccd53b59f34
SHA256

ee296b4d4c9b1033637572ee9c8a544e6e9bfeca2ef255ac180987c3efd2417e
SHA512

64496a85ea8a4996684246df715ed3bc77604c2bac4878f066ff827b7aaf32645a91226e80f0aa091e7a9557b8d0e3040bd5e4b3aff12963a8a9f97ac70a1e32
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUU:T+856utgpPF8u/7U

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c0000000144e4-3.dat	cobalt_reflective_dll
behavioral1/files/0x003400000001471d-9.dat	cobalt_reflective_dll
behavioral1/files/0x000e000000014971-11.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014b27-26.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d8f-134.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014baa-100.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d79-97.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d67-88.dat	cobalt_reflective_dll
behavioral1/files/0x0033000000014726-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d56-78.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d28-66.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015ce1-59.dat	cobalt_reflective_dll
behavioral1/files/0x000a000000014bea-58.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014b63-57.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ceb-52.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d87-115.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d6f-114.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d5e-113.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d4a-112.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d07-111.dat	cobalt_reflective_dll
behavioral1/files/0x000a000000014e51-109.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000144e4-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x003400000001471d-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000e000000014971-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014b27-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d8f-134.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014baa-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d79-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d67-88.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0033000000014726-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d56-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d28-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015ce1-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000a000000014bea-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014b63-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ceb-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d87-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d6f-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d5e-113.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d4a-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d07-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000a000000014e51-109.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 46 IoCs

resource	yara_rule
behavioral1/memory/2104-0-0x000000013FE70000-0x00000001401C4000-memory.dmp	UPX
behavioral1/files/0x000c0000000144e4-3.dat	UPX
behavioral1/memory/2088-8-0x000000013F120000-0x000000013F474000-memory.dmp	UPX
behavioral1/files/0x003400000001471d-9.dat	UPX
behavioral1/memory/3068-14-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/files/0x000e000000014971-11.dat	UPX
behavioral1/memory/2320-22-0x000000013F5F0000-0x000000013F944000-memory.dmp	UPX
behavioral1/files/0x0007000000014b27-26.dat	UPX
behavioral1/files/0x0006000000015d8f-134.dat	UPX
behavioral1/files/0x0007000000014baa-100.dat	UPX
behavioral1/files/0x0006000000015d79-97.dat	UPX
behavioral1/files/0x0006000000015d67-88.dat	UPX
behavioral1/files/0x0033000000014726-82.dat	UPX
behavioral1/files/0x0006000000015d56-78.dat	UPX
behavioral1/memory/2104-72-0x000000013FE70000-0x00000001401C4000-memory.dmp	UPX
behavioral1/files/0x0006000000015d28-66.dat	UPX
behavioral1/memory/3068-136-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/files/0x0007000000015ce1-59.dat	UPX
behavioral1/files/0x000a000000014bea-58.dat	UPX
behavioral1/files/0x0007000000014b63-57.dat	UPX
behavioral1/files/0x0006000000015ceb-52.dat	UPX
behavioral1/memory/2644-137-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/files/0x0006000000015d87-115.dat	UPX
behavioral1/files/0x0006000000015d6f-114.dat	UPX
behavioral1/files/0x0006000000015d5e-113.dat	UPX
behavioral1/files/0x0006000000015d4a-112.dat	UPX
behavioral1/files/0x0006000000015d07-111.dat	UPX
behavioral1/memory/2564-110-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
behavioral1/files/0x000a000000014e51-109.dat	UPX
behavioral1/memory/2660-87-0x000000013FD60000-0x00000001400B4000-memory.dmp	UPX
behavioral1/memory/2852-77-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/1860-65-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
behavioral1/memory/2828-63-0x000000013FD50000-0x00000001400A4000-memory.dmp	UPX
behavioral1/memory/2644-34-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/1860-139-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
behavioral1/memory/2828-138-0x000000013FD50000-0x00000001400A4000-memory.dmp	UPX
behavioral1/memory/2660-141-0x000000013FD60000-0x00000001400B4000-memory.dmp	UPX
behavioral1/memory/2088-142-0x000000013F120000-0x000000013F474000-memory.dmp	UPX
behavioral1/memory/3068-143-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/memory/2320-144-0x000000013F5F0000-0x000000013F944000-memory.dmp	UPX
behavioral1/memory/2644-145-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/1860-146-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
behavioral1/memory/2852-147-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/2828-148-0x000000013FD50000-0x00000001400A4000-memory.dmp	UPX
behavioral1/memory/2660-149-0x000000013FD60000-0x00000001400B4000-memory.dmp	UPX
behavioral1/memory/2564-150-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral1/memory/2104-0-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/files/0x000c0000000144e4-3.dat	xmrig
behavioral1/memory/2088-8-0x000000013F120000-0x000000013F474000-memory.dmp	xmrig
behavioral1/files/0x003400000001471d-9.dat	xmrig
behavioral1/memory/3068-14-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/files/0x000e000000014971-11.dat	xmrig
behavioral1/memory/2320-22-0x000000013F5F0000-0x000000013F944000-memory.dmp	xmrig
behavioral1/files/0x0007000000014b27-26.dat	xmrig
behavioral1/files/0x0006000000015d8f-134.dat	xmrig
behavioral1/files/0x0007000000014baa-100.dat	xmrig
behavioral1/files/0x0006000000015d79-97.dat	xmrig
behavioral1/files/0x0006000000015d67-88.dat	xmrig
behavioral1/files/0x0033000000014726-82.dat	xmrig
behavioral1/files/0x0006000000015d56-78.dat	xmrig
behavioral1/memory/2104-72-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015d28-66.dat	xmrig
behavioral1/memory/3068-136-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015ce1-59.dat	xmrig
behavioral1/files/0x000a000000014bea-58.dat	xmrig
behavioral1/files/0x0007000000014b63-57.dat	xmrig
behavioral1/files/0x0006000000015ceb-52.dat	xmrig
behavioral1/memory/2644-137-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/files/0x0006000000015d87-115.dat	xmrig
behavioral1/files/0x0006000000015d6f-114.dat	xmrig
behavioral1/files/0x0006000000015d5e-113.dat	xmrig
behavioral1/files/0x0006000000015d4a-112.dat	xmrig
behavioral1/files/0x0006000000015d07-111.dat	xmrig
behavioral1/memory/2564-110-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/files/0x000a000000014e51-109.dat	xmrig
behavioral1/memory/2660-87-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/memory/2852-77-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/1860-65-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
behavioral1/memory/2828-63-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2644-34-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/1860-139-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
behavioral1/memory/2828-138-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2660-141-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/memory/2088-142-0x000000013F120000-0x000000013F474000-memory.dmp	xmrig
behavioral1/memory/3068-143-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/2320-144-0x000000013F5F0000-0x000000013F944000-memory.dmp	xmrig
behavioral1/memory/2644-145-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/1860-146-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
behavioral1/memory/2852-147-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/2828-148-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2660-149-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/memory/2564-150-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2088	heGrDdR.exe
3068	xvCGRkO.exe
2320	jKgjsPD.exe
2644	vecTZzi.exe
2852	IsRObje.exe
2828	IhCCdrE.exe
1860	IsFMPUx.exe
2660	PPpbJAf.exe
2564	zBEOCrh.exe
3032	IRnknYX.exe
2608	WeBoXhr.exe
1612	xKHHYkc.exe
2988	DITckOK.exe
2380	FuETTpR.exe
1812	kXjaiNA.exe
2436	igeAFWg.exe
2480	zuUAeVV.exe
2928	vrrCzHh.exe
3000	ScqWxWP.exe
2080	DdbzJhO.exe
2724	TqxTzAM.exe

Loads dropped DLL 21 IoCs

pid	Process
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2104-0-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/files/0x000c0000000144e4-3.dat	upx
behavioral1/memory/2088-8-0x000000013F120000-0x000000013F474000-memory.dmp	upx
behavioral1/files/0x003400000001471d-9.dat	upx
behavioral1/memory/3068-14-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/files/0x000e000000014971-11.dat	upx
behavioral1/memory/2320-22-0x000000013F5F0000-0x000000013F944000-memory.dmp	upx
behavioral1/files/0x0007000000014b27-26.dat	upx
behavioral1/files/0x0006000000015d8f-134.dat	upx
behavioral1/files/0x0007000000014baa-100.dat	upx
behavioral1/files/0x0006000000015d79-97.dat	upx
behavioral1/files/0x0006000000015d67-88.dat	upx
behavioral1/files/0x0033000000014726-82.dat	upx
behavioral1/files/0x0006000000015d56-78.dat	upx
behavioral1/memory/2104-72-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/files/0x0006000000015d28-66.dat	upx
behavioral1/memory/3068-136-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/files/0x0007000000015ce1-59.dat	upx
behavioral1/files/0x000a000000014bea-58.dat	upx
behavioral1/files/0x0007000000014b63-57.dat	upx
behavioral1/files/0x0006000000015ceb-52.dat	upx
behavioral1/memory/2644-137-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/files/0x0006000000015d87-115.dat	upx
behavioral1/files/0x0006000000015d6f-114.dat	upx
behavioral1/files/0x0006000000015d5e-113.dat	upx
behavioral1/files/0x0006000000015d4a-112.dat	upx
behavioral1/files/0x0006000000015d07-111.dat	upx
behavioral1/memory/2564-110-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/files/0x000a000000014e51-109.dat	upx
behavioral1/memory/2660-87-0x000000013FD60000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/2852-77-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/1860-65-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
behavioral1/memory/2828-63-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2644-34-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/1860-139-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
behavioral1/memory/2828-138-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2660-141-0x000000013FD60000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/2088-142-0x000000013F120000-0x000000013F474000-memory.dmp	upx
behavioral1/memory/3068-143-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/memory/2320-144-0x000000013F5F0000-0x000000013F944000-memory.dmp	upx
behavioral1/memory/2644-145-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/1860-146-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
behavioral1/memory/2852-147-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/2828-148-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2660-149-0x000000013FD60000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/2564-150-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\DITckOK.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xvCGRkO.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zBEOCrh.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IhCCdrE.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IsFMPUx.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\igeAFWg.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zuUAeVV.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xKHHYkc.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ScqWxWP.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\heGrDdR.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PPpbJAf.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DdbzJhO.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kXjaiNA.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jKgjsPD.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vecTZzi.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IRnknYX.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FuETTpR.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IsRObje.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WeBoXhr.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vrrCzHh.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TqxTzAM.exe	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2088	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	29
PID 2104 wrote to memory of 2088	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	29
PID 2104 wrote to memory of 2088	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	29
PID 2104 wrote to memory of 3068	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	30
PID 2104 wrote to memory of 3068	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	30
PID 2104 wrote to memory of 3068	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	30
PID 2104 wrote to memory of 2320	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	31
PID 2104 wrote to memory of 2320	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	31
PID 2104 wrote to memory of 2320	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	31
PID 2104 wrote to memory of 2644	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	32
PID 2104 wrote to memory of 2644	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	32
PID 2104 wrote to memory of 2644	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	32
PID 2104 wrote to memory of 2660	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	33
PID 2104 wrote to memory of 2660	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	33
PID 2104 wrote to memory of 2660	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	33
PID 2104 wrote to memory of 2852	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	34
PID 2104 wrote to memory of 2852	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	34
PID 2104 wrote to memory of 2852	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	34
PID 2104 wrote to memory of 2564	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	35
PID 2104 wrote to memory of 2564	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	35
PID 2104 wrote to memory of 2564	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	35
PID 2104 wrote to memory of 2828	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	36
PID 2104 wrote to memory of 2828	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	36
PID 2104 wrote to memory of 2828	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	36
PID 2104 wrote to memory of 3032	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	37
PID 2104 wrote to memory of 3032	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	37
PID 2104 wrote to memory of 3032	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	37
PID 2104 wrote to memory of 1860	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	38
PID 2104 wrote to memory of 1860	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	38
PID 2104 wrote to memory of 1860	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	38
PID 2104 wrote to memory of 2436	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	39
PID 2104 wrote to memory of 2436	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	39
PID 2104 wrote to memory of 2436	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	39
PID 2104 wrote to memory of 2608	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	40
PID 2104 wrote to memory of 2608	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	40
PID 2104 wrote to memory of 2608	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	40
PID 2104 wrote to memory of 2480	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	41
PID 2104 wrote to memory of 2480	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	41
PID 2104 wrote to memory of 2480	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	41
PID 2104 wrote to memory of 1612	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	42
PID 2104 wrote to memory of 1612	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	42
PID 2104 wrote to memory of 1612	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	42
PID 2104 wrote to memory of 2928	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	43
PID 2104 wrote to memory of 2928	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	43
PID 2104 wrote to memory of 2928	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	43
PID 2104 wrote to memory of 2988	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	44
PID 2104 wrote to memory of 2988	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	44
PID 2104 wrote to memory of 2988	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	44
PID 2104 wrote to memory of 3000	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	45
PID 2104 wrote to memory of 3000	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	45
PID 2104 wrote to memory of 3000	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	45
PID 2104 wrote to memory of 2380	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	46
PID 2104 wrote to memory of 2380	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	46
PID 2104 wrote to memory of 2380	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	46
PID 2104 wrote to memory of 2080	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	47
PID 2104 wrote to memory of 2080	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	47
PID 2104 wrote to memory of 2080	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	47
PID 2104 wrote to memory of 1812	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	48
PID 2104 wrote to memory of 1812	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	48
PID 2104 wrote to memory of 1812	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	48
PID 2104 wrote to memory of 2724	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	49
PID 2104 wrote to memory of 2724	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	49
PID 2104 wrote to memory of 2724	2104	2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-15_b16cc90b62e45626102f436e52ddd03c_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\System\heGrDdR.exe
  C:\Windows\System\heGrDdR.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\xvCGRkO.exe
  C:\Windows\System\xvCGRkO.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\jKgjsPD.exe
  C:\Windows\System\jKgjsPD.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\vecTZzi.exe
  C:\Windows\System\vecTZzi.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\PPpbJAf.exe
  C:\Windows\System\PPpbJAf.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\IsRObje.exe
  C:\Windows\System\IsRObje.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\zBEOCrh.exe
  C:\Windows\System\zBEOCrh.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\IhCCdrE.exe
  C:\Windows\System\IhCCdrE.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\IRnknYX.exe
  C:\Windows\System\IRnknYX.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\IsFMPUx.exe
  C:\Windows\System\IsFMPUx.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System\igeAFWg.exe
  C:\Windows\System\igeAFWg.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\WeBoXhr.exe
  C:\Windows\System\WeBoXhr.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\zuUAeVV.exe
  C:\Windows\System\zuUAeVV.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\xKHHYkc.exe
  C:\Windows\System\xKHHYkc.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\vrrCzHh.exe
  C:\Windows\System\vrrCzHh.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\DITckOK.exe
  C:\Windows\System\DITckOK.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\ScqWxWP.exe
  C:\Windows\System\ScqWxWP.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\FuETTpR.exe
  C:\Windows\System\FuETTpR.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\DdbzJhO.exe
  C:\Windows\System\DdbzJhO.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System\kXjaiNA.exe
  C:\Windows\System\kXjaiNA.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\TqxTzAM.exe
  C:\Windows\System\TqxTzAM.exe
  2⤵
  - Executes dropped EXE
  PID:2724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DITckOK.exe

Filesize
5.9MB

MD5
a2115adac682471fa304694d16a56c8e

SHA1
38bee7256464c317dd2c38d6005555e3c811e2c6

SHA256
786ef1e858542b1c0c731df419abd4f3609d8162952179b0474a162376768c5e

SHA512
766e0740d54188411a766665060b5b4c9a6b7b09d83ce00ff4275b93e632c8bc85d16d3d7bd75feee8c7646e0b3f44c7cbcf82e281bcaab77512a68e01dcf8ea

Download Submit
C:\Windows\system\FuETTpR.exe

Filesize
5.9MB

MD5
f417b5021873f0064adaeb4143153574

SHA1
9f48891a1b5dacca5abc95201a6aac05eaf8242c

SHA256
e33e9824b28c2a50e55485e4cc3ac03584bc92a8ca65f0f64e05f6d3756e1a6f

SHA512
81d98a2cd5134774d30f0365a7607bc127f293d83c247adea3e8c1c81147371c5e7fcd88d07d054743191a9c867d7e154b5940f4f5fbf9ccf59399275ae31a99

Download Submit
C:\Windows\system\IRnknYX.exe

Filesize
5.9MB

MD5
4a507734696422c838f0c77d3b0c48d2

SHA1
d58f79304ad8c7cc9a67caf33916d2c23c35a7b8

SHA256
09071efa43c720fb20d6a9c006ab32f675f726c2a41dd823a4a94ec5c7fe2446

SHA512
c3713f746d735525debc89236499e08979b3e42fee2b7c98ac369455be98ab35598270925d39779709a641d3da1f63a5d7e49d73abfde1e9bc6b1459f4a4f898

Download Submit
C:\Windows\system\IhCCdrE.exe

Filesize
5.9MB

MD5
79c76e30ad688b7ea65f62b0031b5b10

SHA1
447f4c2a72aa1a7f1fbefad777486f87c77c184e

SHA256
504a43979f9d4123892f64b55f9e19166aca2f922e20874ca8ea1bbd819108f7

SHA512
31b506246487b3a8b375684f42fde8755660c010fd4420202cf2d30e401dc74c394a6e8b599b9cb108b1739ce521f3545cab9fd71d7887aa5be108719d2850e4

Download Submit
C:\Windows\system\IsFMPUx.exe

Filesize
5.9MB

MD5
ffc87a2794ec96f4f2ec2a86cf73f926

SHA1
4167ed3408d561af003f420f1e9c1c19a1950ecb

SHA256
73e099e646559f2f8b46f356af0a5249057ca4dca3e09fffda830aecc6a49888

SHA512
1e2f58d3ba305d51af7554cf9af17e198d0cd4dfac6739b156918a1fa2f52887ca863593492efadeff550e7d670f54255788e8b7e73338fd50147f299b6f8ffa

Download Submit
C:\Windows\system\IsRObje.exe

Filesize
5.9MB

MD5
58d1ddf1dd4e06216a966f47ba8d202a

SHA1
c8bbc793d233700f2fa8fab767893bcc395a0e52

SHA256
aa3b19de4246ceb471d06114f5345eaa9c2d7d24edd790f90965577d5bc070dd

SHA512
58622d4d6f1ade4941a1d5c000661e06ac574c05f5b43e04b63e2fdaadd7b155bb9ecdfb57a2401fdd75968ef59841f4c96da9f86a8102a3cf49d413d6de0fea

Download Submit
C:\Windows\system\PPpbJAf.exe

Filesize
5.9MB

MD5
6a24f0728027762b1b4fd61fe4a20e94

SHA1
9d61c2cc6bb5808527fa467fe2a03c19e82ee52a

SHA256
68c13813c9fe9b1e1c08490a396869cbc0766c04430306f383fad98987acbceb

SHA512
4c48b6ed66cd45fb6c0c7d49f99d3ccd9a44c19fe0809cb9c44ba259fe47adda35519c5ecd5ea07a69db4cd922243c060973db98f4dbacf9a12d891661e9f0a2

Download Submit
C:\Windows\system\TqxTzAM.exe

Filesize
5.9MB

MD5
5e2adb59cb449b4d5bfc11da01818f3a

SHA1
09c327a14159c92afa090b3c488ba63958b1c615

SHA256
601111660e9de4b826b700d2cd07078e811b6dba1d2cbf5bd1a5e1dbe01ca179

SHA512
06e23a8318192c8b2f2080a8d2971353fcec47904263e03e6c0dcc894b2cfd0f5015c0e11ddd8245c05df0adad924fc6330d09d38e2b4028ff160c937af8ce21

Download Submit
C:\Windows\system\WeBoXhr.exe

Filesize
5.9MB

MD5
eba5ddb34ce1f81afe5f9c5f977f67e3

SHA1
e38e949d475e9e906fb505d67ec44255dcdc375f

SHA256
27c35db6232c109d626e4ec01b7ad8cb90ded6aad4e8fb848c546386fb0287b9

SHA512
7e3753c4113e123e0c2854ebd1b9542f797970a91e0313e2442268bcf7ae418b4f50564a258ae5905b3f0c37bb308e188eb585b2e5842eeaf17d0532e56d5417

Download Submit
C:\Windows\system\jKgjsPD.exe

Filesize
5.9MB

MD5
f81bcb13520a19e7078c50636193963f

SHA1
b47dfe1f83ea7b77767fa90b9871f82c9ad90de8

SHA256
372de9c05568a525f14100ecf65b2b0240c64d451f435ba51fb00f8d685064e2

SHA512
9ea312fc855478afa27c5cf5bbab8eff5191ea9db02fb956ed47ea5972884a7645a26a440fb30e637a5fc9c80bd77e7667ea570e4377d4d41b29e0ce3bf123cc

Download Submit
C:\Windows\system\kXjaiNA.exe

Filesize
5.9MB

MD5
3ee3c0435920e7f9c70e143b85bf5109

SHA1
275c3ec319ca0d11195405a9bfa8bc830dcac326

SHA256
b5b57b8fc6035b10696f42bdbb055068d4326c165503b44924e94355a5f37f5d

SHA512
e4497e47d86e27ba62d7e16bb1b82e4a6c717a96892fc22f76a9c241fe5b35687d849fc4c974f13724a8d233ec635172c08a455bad873563a21f6a26622278ba

Download Submit
C:\Windows\system\vecTZzi.exe

Filesize
5.9MB

MD5
ccf0fde38112f8b7d4714fcd2086299f

SHA1
a77b40057589778eb96774f1ab54867f67ec6575

SHA256
b8424eba384d46d7bdc0abb1389e93f7147e26c2e9bde45df17a6de8c16b2e76

SHA512
13e2f168ddd6a3b9e088381ffed4b71b7e750865dcc069babe0459e0fda749ed382a05c727d872e45151fa422cf3adf67d66eb2b47860bb9508bebdbd8dc20aa

Download Submit
C:\Windows\system\xKHHYkc.exe

Filesize
5.9MB

MD5
41257474001bcd6d15c8a569ecec0650

SHA1
4634da6c2e42d1a30cb51704322113daa2779e0c

SHA256
21360af22c684a3c0b469fef5b81bec695fb6c58c395de1f01b4bfeffa0ce545

SHA512
04b66126193741255f127591bafaecc63431bd6464908c9acc7c6cca98fc3f12cf9d57b9a247db3725c27af93b3c6b231eb7e0f791448e1b08c6e5fe225ac1b4

Download Submit
C:\Windows\system\zBEOCrh.exe

Filesize
5.9MB

MD5
98a6202b220991971f52b4ca4a2240b9

SHA1
1dd9254c41982ff8704dd7023f0b91e3dbd5d7e1

SHA256
c6ef0eedb3cb924a63c25818a6cdd10d243f9feaeb9e7e2de5889223f1dabf75

SHA512
dd49440e666f59e9fadbbb8feeffbfd03544a8c5232bcb46c6aaa374301582ab1cbe94be03d07b232bfd119fbe906d57e59bc178e968703825ed2a5fe17af71c

Download Submit
\Windows\system\DdbzJhO.exe

Filesize
5.9MB

MD5
09d9714787687f469d444eda29def0d0

SHA1
da24fcb0d05cc1bb103f9f08da337f8bbb44f9f1

SHA256
c09b255b045f47339d7b63ff5bc73317b02f618b3daaa8f2e90c81f03fb02fbc

SHA512
dfecfd69b123ca300a83422e849072381a2014d4bf27ee16eaef51362be64390a5d3433584ca3e4c2c9116868803f512eae459b90dc3662fd036e5a663bc1797

Download Submit
\Windows\system\ScqWxWP.exe

Filesize
5.9MB

MD5
fd2b26936fa2270b74de23ecf8331514

SHA1
4ed0a1c4e7167922237d800ccf27a820929633f6

SHA256
552018bf914763a5f6d89bbfce95b4108c110bf34c5af7f84db856fb7bdf8861

SHA512
74602073dc7033bf2797195fb97fc077d74f5e68c9155944574d71e5fe2caecb148cd6640ba62cb35a8a1ff1e9dde40bf6f632d69ac26d3316e1d3e3f7e629f1

Download Submit
\Windows\system\heGrDdR.exe

Filesize
5.9MB

MD5
0e5299d4f5fe1df85e98b33f5d01bdbf

SHA1
58babb2895b572ac549d33418046ae413e764378

SHA256
000593cd712ae73d088b1c616705053c719d4821a132ea642129e5f9b5ba6ad2

SHA512
cafe5559ca22347b5f17934a2f4427d0579804f99f38f1e42a365c7d6a8098bd8d47dd103130eec79dd067a3b0f85a54a788cd90b4e36acd1bf822ccd4c9ab2a

Download Submit
\Windows\system\igeAFWg.exe

Filesize
5.9MB

MD5
0c4a08abdb0eccc1658007130450daa1

SHA1
d08bf53ffca19340ccf664cdadd43f294b20a25f

SHA256
aa78355345df378cfc86d5e7ccdc116e7ac306af9053c78dbf7e9e5749bdc0d8

SHA512
4902fa7d16df1d933569af824bd9ca0a3f8b95285da43bbb159fecd126b021807b6ec310db02aee63195147f3cc3cf52d0b023c15d16a69c6132d73d043c5c21

Download Submit
\Windows\system\vrrCzHh.exe

Filesize
5.9MB

MD5
41fba87ed2158448d36ec3f5c2857f3c

SHA1
9aef2055997efd53b2357199a1b7c2c710812c87

SHA256
f1a878325c61126a55acfbdd93c8e81e48300790fff9282c80d803c63b7d6947

SHA512
78468b0971c4dd1a3dc4a093bbc506892329c8bd0348e5e20d861213a8db921072c89d467d08b43ccff1515ab5b160e32c507c4b7a37481a4f96142a46c39897

Download Submit
\Windows\system\xvCGRkO.exe

Filesize
5.9MB

MD5
e3bf31fcd9334d973a5f97f0de57c4cf

SHA1
31071a4225fc6db055d37d5018ae8a06c8049f17

SHA256
09721e0c0819dfef597113cc225f36fca554d15a1ce12d923c8c8a41f6a5a2df

SHA512
05218de105463c20bae5c5b01fe9ff9dccc166f1f7547f53562b792c1eb0bd90dff2220ad60136ccf35c446a2328fcd3b5fddb48dd3df1e41be6b2fb4289ebdc

Download Submit
\Windows\system\zuUAeVV.exe

Filesize
5.9MB

MD5
8bfd1cc23e2b3aab1dbc93cdf235b1b5

SHA1
4f350c7a7266e60f7ba53d17172270730bbb2f90

SHA256
c3139a9ea37b4b7d9ae5b68a8e9050fef43c980ebb531e44b6f679e01b9d4354

SHA512
46b347ec324486586ed0cb0538f0349253fb72ba87f2d492ae0c517822afa9f0116fc0105f0462148562ece7cd310d1038f83a4bd53b2dfb4d3e9ae55aea9871

Download Submit
memory/1860-139-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1860-65-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1860-146-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/2088-142-0x000000013F120000-0x000000013F474000-memory.dmp

Filesize
3.3MB

Download
memory/2088-8-0x000000013F120000-0x000000013F474000-memory.dmp

Filesize
3.3MB

Download
memory/2104-55-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-74-0x000000013F120000-0x000000013F474000-memory.dmp

Filesize
3.3MB

Download
memory/2104-60-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-72-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-56-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-0-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-81-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2104-12-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-46-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-119-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download
memory/2104-92-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-28-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2104-116-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-86-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-51-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-42-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-21-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/2104-108-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-103-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-95-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2104-1-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2104-49-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-140-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2320-22-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/2320-144-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/2564-110-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2564-150-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2644-145-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2644-34-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2644-137-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2660-141-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-87-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-149-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/2828-138-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2828-63-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2828-148-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2852-77-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2852-147-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/3068-14-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/3068-143-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/3068-136-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download