cobaltstrike | 0bdd8cd05f34c0691b886484c36b34902b39ea0371384c7dbcb082b01d9ceba1

Analysis

max time kernel
143s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

c991960b73befe24c233628bb03cb063
SHA1

c597c010d26c7a81659842b3611562e7337cf1c1
SHA256

0bdd8cd05f34c0691b886484c36b34902b39ea0371384c7dbcb082b01d9ceba1
SHA512

0bfed29da2c8b4f820466b602495c2485bfbd3b46bab08e98db6f62208a65fc0104c1726a4525bd167b8bb6834aff9343355fc242c90e013fde620d1e3c1832e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l+:RWWBibf56utgpPFotBER/mQ32lUy

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\KfIacKA.exe	cobalt_reflective_dll
\Windows\system\YRdxLmq.exe	cobalt_reflective_dll
\Windows\system\cIFXqJl.exe	cobalt_reflective_dll
C:\Windows\system\EwvHYAR.exe	cobalt_reflective_dll
\Windows\system\jTXTQWv.exe	cobalt_reflective_dll
C:\Windows\system\baXdWiy.exe	cobalt_reflective_dll
C:\Windows\system\zxdtLjf.exe	cobalt_reflective_dll
C:\Windows\system\iobtENf.exe	cobalt_reflective_dll
\Windows\system\SGqCZgB.exe	cobalt_reflective_dll
\Windows\system\LjnvaPq.exe	cobalt_reflective_dll
\Windows\system\oWYMlSg.exe	cobalt_reflective_dll
C:\Windows\system\RxOQBrH.exe	cobalt_reflective_dll
C:\Windows\system\yzzLced.exe	cobalt_reflective_dll
C:\Windows\system\MHHzhJX.exe	cobalt_reflective_dll
C:\Windows\system\BtZCvZT.exe	cobalt_reflective_dll
C:\Windows\system\APSxSJs.exe	cobalt_reflective_dll
C:\Windows\system\EgFTscb.exe	cobalt_reflective_dll
C:\Windows\system\cXaEFTm.exe	cobalt_reflective_dll
C:\Windows\system\bmYOZsn.exe	cobalt_reflective_dll
C:\Windows\system\enCecjp.exe	cobalt_reflective_dll
\Windows\system\AEHpvyy.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\KfIacKA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\YRdxLmq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\cIFXqJl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EwvHYAR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\jTXTQWv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\baXdWiy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zxdtLjf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iobtENf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\SGqCZgB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\LjnvaPq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\oWYMlSg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RxOQBrH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\yzzLced.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MHHzhJX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BtZCvZT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\APSxSJs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EgFTscb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\cXaEFTm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bmYOZsn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\enCecjp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\AEHpvyy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2180-0-0x000000013F8F0000-0x000000013FC41000-memory.dmp	UPX
\Windows\system\KfIacKA.exe	UPX
behavioral1/memory/2180-6-0x000000013F0C0000-0x000000013F411000-memory.dmp	UPX
\Windows\system\YRdxLmq.exe	UPX
\Windows\system\cIFXqJl.exe	UPX
C:\Windows\system\EwvHYAR.exe	UPX
\Windows\system\jTXTQWv.exe	UPX
behavioral1/memory/2676-41-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	UPX
behavioral1/memory/2792-43-0x000000013F900000-0x000000013FC51000-memory.dmp	UPX
C:\Windows\system\baXdWiy.exe	UPX
C:\Windows\system\zxdtLjf.exe	UPX
behavioral1/memory/2512-65-0x000000013FB00000-0x000000013FE51000-memory.dmp	UPX
C:\Windows\system\iobtENf.exe	UPX
\Windows\system\SGqCZgB.exe	UPX
\Windows\system\LjnvaPq.exe	UPX
\Windows\system\oWYMlSg.exe	UPX
C:\Windows\system\RxOQBrH.exe	UPX
C:\Windows\system\yzzLced.exe	UPX
C:\Windows\system\MHHzhJX.exe	UPX
C:\Windows\system\BtZCvZT.exe	UPX
C:\Windows\system\APSxSJs.exe	UPX
behavioral1/memory/2964-90-0x000000013F250000-0x000000013F5A1000-memory.dmp	UPX
behavioral1/memory/2880-84-0x000000013F780000-0x000000013FAD1000-memory.dmp	UPX
behavioral1/memory/3048-82-0x000000013F0C0000-0x000000013F411000-memory.dmp	UPX
C:\Windows\system\EgFTscb.exe	UPX
behavioral1/memory/1616-78-0x000000013FA60000-0x000000013FDB1000-memory.dmp	UPX
behavioral1/memory/2180-76-0x000000013F8F0000-0x000000013FC41000-memory.dmp	UPX
behavioral1/memory/2588-70-0x000000013F340000-0x000000013F691000-memory.dmp	UPX
C:\Windows\system\cXaEFTm.exe	UPX
behavioral1/memory/2632-60-0x000000013F790000-0x000000013FAE1000-memory.dmp	UPX
behavioral1/memory/3068-55-0x000000013F540000-0x000000013F891000-memory.dmp	UPX
behavioral1/memory/2784-49-0x000000013F170000-0x000000013F4C1000-memory.dmp	UPX
C:\Windows\system\bmYOZsn.exe	UPX
C:\Windows\system\enCecjp.exe	UPX
behavioral1/memory/3060-28-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	UPX
\Windows\system\AEHpvyy.exe	UPX
behavioral1/memory/2628-36-0x000000013F700000-0x000000013FA51000-memory.dmp	UPX
behavioral1/memory/2240-32-0x000000013F7F0000-0x000000013FB41000-memory.dmp	UPX
behavioral1/memory/3048-21-0x000000013F0C0000-0x000000013F411000-memory.dmp	UPX
behavioral1/memory/2792-141-0x000000013F900000-0x000000013FC51000-memory.dmp	UPX
behavioral1/memory/2180-136-0x000000013F8F0000-0x000000013FC41000-memory.dmp	UPX
behavioral1/memory/2512-148-0x000000013FB00000-0x000000013FE51000-memory.dmp	UPX
behavioral1/memory/2588-147-0x000000013F340000-0x000000013F691000-memory.dmp	UPX
behavioral1/memory/2632-145-0x000000013F790000-0x000000013FAE1000-memory.dmp	UPX
behavioral1/memory/3068-144-0x000000013F540000-0x000000013F891000-memory.dmp	UPX
behavioral1/memory/2784-143-0x000000013F170000-0x000000013F4C1000-memory.dmp	UPX
behavioral1/memory/2964-151-0x000000013F250000-0x000000013F5A1000-memory.dmp	UPX
behavioral1/memory/2720-153-0x000000013F3D0000-0x000000013F721000-memory.dmp	UPX
behavioral1/memory/748-156-0x000000013F7E0000-0x000000013FB31000-memory.dmp	UPX
behavioral1/memory/1584-158-0x000000013F700000-0x000000013FA51000-memory.dmp	UPX
behavioral1/memory/1636-157-0x000000013F5C0000-0x000000013F911000-memory.dmp	UPX
behavioral1/memory/2732-155-0x000000013F440000-0x000000013F791000-memory.dmp	UPX
behavioral1/memory/1716-154-0x000000013F230000-0x000000013F581000-memory.dmp	UPX
behavioral1/memory/1516-152-0x000000013F300000-0x000000013F651000-memory.dmp	UPX
behavioral1/memory/2880-150-0x000000013F780000-0x000000013FAD1000-memory.dmp	UPX
behavioral1/memory/1616-149-0x000000013FA60000-0x000000013FDB1000-memory.dmp	UPX
behavioral1/memory/2180-160-0x000000013F8F0000-0x000000013FC41000-memory.dmp	UPX
behavioral1/memory/3060-207-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	UPX
behavioral1/memory/2628-213-0x000000013F700000-0x000000013FA51000-memory.dmp	UPX
behavioral1/memory/2240-212-0x000000013F7F0000-0x000000013FB41000-memory.dmp	UPX
behavioral1/memory/3048-210-0x000000013F0C0000-0x000000013F411000-memory.dmp	UPX
behavioral1/memory/2676-215-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	UPX
behavioral1/memory/3068-234-0x000000013F540000-0x000000013F891000-memory.dmp	UPX
behavioral1/memory/2512-237-0x000000013FB00000-0x000000013FE51000-memory.dmp	UPX

XMRig Miner payload 39 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2676-41-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	xmrig
behavioral1/memory/3048-82-0x000000013F0C0000-0x000000013F411000-memory.dmp	xmrig
behavioral1/memory/2180-77-0x0000000002220000-0x0000000002571000-memory.dmp	xmrig
behavioral1/memory/2180-76-0x000000013F8F0000-0x000000013FC41000-memory.dmp	xmrig
behavioral1/memory/3060-28-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/2628-36-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2240-32-0x000000013F7F0000-0x000000013FB41000-memory.dmp	xmrig
behavioral1/memory/2792-141-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/2180-136-0x000000013F8F0000-0x000000013FC41000-memory.dmp	xmrig
behavioral1/memory/2512-148-0x000000013FB00000-0x000000013FE51000-memory.dmp	xmrig
behavioral1/memory/2588-147-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2632-145-0x000000013F790000-0x000000013FAE1000-memory.dmp	xmrig
behavioral1/memory/3068-144-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2784-143-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/2964-151-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/2720-153-0x000000013F3D0000-0x000000013F721000-memory.dmp	xmrig
behavioral1/memory/748-156-0x000000013F7E0000-0x000000013FB31000-memory.dmp	xmrig
behavioral1/memory/1584-158-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/1636-157-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2732-155-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/1716-154-0x000000013F230000-0x000000013F581000-memory.dmp	xmrig
behavioral1/memory/1516-152-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/2880-150-0x000000013F780000-0x000000013FAD1000-memory.dmp	xmrig
behavioral1/memory/1616-149-0x000000013FA60000-0x000000013FDB1000-memory.dmp	xmrig
behavioral1/memory/2180-160-0x000000013F8F0000-0x000000013FC41000-memory.dmp	xmrig
behavioral1/memory/3060-207-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/2628-213-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2240-212-0x000000013F7F0000-0x000000013FB41000-memory.dmp	xmrig
behavioral1/memory/3048-210-0x000000013F0C0000-0x000000013F411000-memory.dmp	xmrig
behavioral1/memory/2676-215-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	xmrig
behavioral1/memory/3068-234-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2512-237-0x000000013FB00000-0x000000013FE51000-memory.dmp	xmrig
behavioral1/memory/1616-238-0x000000013FA60000-0x000000013FDB1000-memory.dmp	xmrig
behavioral1/memory/2964-241-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/2784-247-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/2588-253-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2880-252-0x000000013F780000-0x000000013FAD1000-memory.dmp	xmrig
behavioral1/memory/2632-249-0x000000013F790000-0x000000013FAE1000-memory.dmp	xmrig
behavioral1/memory/2792-245-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

KfIacKA.exeYRdxLmq.execIFXqJl.exeEwvHYAR.exejTXTQWv.exeAEHpvyy.exeenCecjp.exebmYOZsn.exebaXdWiy.exezxdtLjf.execXaEFTm.exeiobtENf.exeEgFTscb.exeSGqCZgB.exeAPSxSJs.exeBtZCvZT.exeMHHzhJX.exeyzzLced.exeRxOQBrH.exeLjnvaPq.exeoWYMlSg.exe

pid	process
3048	KfIacKA.exe
3060	YRdxLmq.exe
2240	cIFXqJl.exe
2628	EwvHYAR.exe
2676	jTXTQWv.exe
2792	AEHpvyy.exe
2784	enCecjp.exe
3068	bmYOZsn.exe
2632	baXdWiy.exe
2512	zxdtLjf.exe
2588	cXaEFTm.exe
1616	iobtENf.exe
2880	EgFTscb.exe
2964	SGqCZgB.exe
1516	APSxSJs.exe
2720	BtZCvZT.exe
1716	MHHzhJX.exe
2732	yzzLced.exe
748	RxOQBrH.exe
1636	LjnvaPq.exe
1584	oWYMlSg.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe

pid	process
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2180-0-0x000000013F8F0000-0x000000013FC41000-memory.dmp	upx
\Windows\system\KfIacKA.exe	upx
behavioral1/memory/2180-6-0x000000013F0C0000-0x000000013F411000-memory.dmp	upx
\Windows\system\YRdxLmq.exe	upx
\Windows\system\cIFXqJl.exe	upx
C:\Windows\system\EwvHYAR.exe	upx
\Windows\system\jTXTQWv.exe	upx
behavioral1/memory/2676-41-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	upx
behavioral1/memory/2792-43-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
C:\Windows\system\baXdWiy.exe	upx
C:\Windows\system\zxdtLjf.exe	upx
behavioral1/memory/2512-65-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
C:\Windows\system\iobtENf.exe	upx
\Windows\system\SGqCZgB.exe	upx
\Windows\system\LjnvaPq.exe	upx
\Windows\system\oWYMlSg.exe	upx
C:\Windows\system\RxOQBrH.exe	upx
C:\Windows\system\yzzLced.exe	upx
C:\Windows\system\MHHzhJX.exe	upx
C:\Windows\system\BtZCvZT.exe	upx
C:\Windows\system\APSxSJs.exe	upx
behavioral1/memory/2964-90-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/memory/2880-84-0x000000013F780000-0x000000013FAD1000-memory.dmp	upx
behavioral1/memory/3048-82-0x000000013F0C0000-0x000000013F411000-memory.dmp	upx
C:\Windows\system\EgFTscb.exe	upx
behavioral1/memory/1616-78-0x000000013FA60000-0x000000013FDB1000-memory.dmp	upx
behavioral1/memory/2180-76-0x000000013F8F0000-0x000000013FC41000-memory.dmp	upx
behavioral1/memory/2588-70-0x000000013F340000-0x000000013F691000-memory.dmp	upx
C:\Windows\system\cXaEFTm.exe	upx
behavioral1/memory/2632-60-0x000000013F790000-0x000000013FAE1000-memory.dmp	upx
behavioral1/memory/3068-55-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/2784-49-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
C:\Windows\system\bmYOZsn.exe	upx
C:\Windows\system\enCecjp.exe	upx
behavioral1/memory/3060-28-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
\Windows\system\AEHpvyy.exe	upx
behavioral1/memory/2628-36-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/2240-32-0x000000013F7F0000-0x000000013FB41000-memory.dmp	upx
behavioral1/memory/3048-21-0x000000013F0C0000-0x000000013F411000-memory.dmp	upx
behavioral1/memory/2792-141-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/memory/2180-136-0x000000013F8F0000-0x000000013FC41000-memory.dmp	upx
behavioral1/memory/2512-148-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
behavioral1/memory/2588-147-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/memory/2632-145-0x000000013F790000-0x000000013FAE1000-memory.dmp	upx
behavioral1/memory/3068-144-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/2784-143-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/2964-151-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/memory/2720-153-0x000000013F3D0000-0x000000013F721000-memory.dmp	upx
behavioral1/memory/748-156-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
behavioral1/memory/1584-158-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/1636-157-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/2732-155-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/1716-154-0x000000013F230000-0x000000013F581000-memory.dmp	upx
behavioral1/memory/1516-152-0x000000013F300000-0x000000013F651000-memory.dmp	upx
behavioral1/memory/2880-150-0x000000013F780000-0x000000013FAD1000-memory.dmp	upx
behavioral1/memory/1616-149-0x000000013FA60000-0x000000013FDB1000-memory.dmp	upx
behavioral1/memory/2180-160-0x000000013F8F0000-0x000000013FC41000-memory.dmp	upx
behavioral1/memory/3060-207-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/memory/2628-213-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/2240-212-0x000000013F7F0000-0x000000013FB41000-memory.dmp	upx
behavioral1/memory/3048-210-0x000000013F0C0000-0x000000013F411000-memory.dmp	upx
behavioral1/memory/2676-215-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	upx
behavioral1/memory/3068-234-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/2512-237-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\cIFXqJl.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\APSxSJs.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BtZCvZT.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LjnvaPq.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oWYMlSg.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bmYOZsn.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zxdtLjf.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iobtENf.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AEHpvyy.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jTXTQWv.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\baXdWiy.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EgFTscb.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SGqCZgB.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KfIacKA.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YRdxLmq.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EwvHYAR.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MHHzhJX.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yzzLced.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RxOQBrH.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\enCecjp.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cXaEFTm.exe	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2180 wrote to memory of 3048	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	KfIacKA.exe
PID 2180 wrote to memory of 3048	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	KfIacKA.exe
PID 2180 wrote to memory of 3048	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	KfIacKA.exe
PID 2180 wrote to memory of 3060	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	YRdxLmq.exe
PID 2180 wrote to memory of 3060	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	YRdxLmq.exe
PID 2180 wrote to memory of 3060	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	YRdxLmq.exe
PID 2180 wrote to memory of 2240	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	cIFXqJl.exe
PID 2180 wrote to memory of 2240	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	cIFXqJl.exe
PID 2180 wrote to memory of 2240	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	cIFXqJl.exe
PID 2180 wrote to memory of 2628	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	EwvHYAR.exe
PID 2180 wrote to memory of 2628	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	EwvHYAR.exe
PID 2180 wrote to memory of 2628	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	EwvHYAR.exe
PID 2180 wrote to memory of 2792	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	AEHpvyy.exe
PID 2180 wrote to memory of 2792	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	AEHpvyy.exe
PID 2180 wrote to memory of 2792	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	AEHpvyy.exe
PID 2180 wrote to memory of 2676	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	jTXTQWv.exe
PID 2180 wrote to memory of 2676	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	jTXTQWv.exe
PID 2180 wrote to memory of 2676	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	jTXTQWv.exe
PID 2180 wrote to memory of 2784	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	enCecjp.exe
PID 2180 wrote to memory of 2784	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	enCecjp.exe
PID 2180 wrote to memory of 2784	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	enCecjp.exe
PID 2180 wrote to memory of 3068	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	bmYOZsn.exe
PID 2180 wrote to memory of 3068	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	bmYOZsn.exe
PID 2180 wrote to memory of 3068	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	bmYOZsn.exe
PID 2180 wrote to memory of 2632	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	baXdWiy.exe
PID 2180 wrote to memory of 2632	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	baXdWiy.exe
PID 2180 wrote to memory of 2632	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	baXdWiy.exe
PID 2180 wrote to memory of 2512	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	zxdtLjf.exe
PID 2180 wrote to memory of 2512	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	zxdtLjf.exe
PID 2180 wrote to memory of 2512	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	zxdtLjf.exe
PID 2180 wrote to memory of 2588	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	cXaEFTm.exe
PID 2180 wrote to memory of 2588	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	cXaEFTm.exe
PID 2180 wrote to memory of 2588	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	cXaEFTm.exe
PID 2180 wrote to memory of 1616	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	iobtENf.exe
PID 2180 wrote to memory of 1616	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	iobtENf.exe
PID 2180 wrote to memory of 1616	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	iobtENf.exe
PID 2180 wrote to memory of 2880	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	EgFTscb.exe
PID 2180 wrote to memory of 2880	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	EgFTscb.exe
PID 2180 wrote to memory of 2880	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	EgFTscb.exe
PID 2180 wrote to memory of 2964	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	SGqCZgB.exe
PID 2180 wrote to memory of 2964	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	SGqCZgB.exe
PID 2180 wrote to memory of 2964	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	SGqCZgB.exe
PID 2180 wrote to memory of 1516	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	APSxSJs.exe
PID 2180 wrote to memory of 1516	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	APSxSJs.exe
PID 2180 wrote to memory of 1516	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	APSxSJs.exe
PID 2180 wrote to memory of 2720	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	BtZCvZT.exe
PID 2180 wrote to memory of 2720	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	BtZCvZT.exe
PID 2180 wrote to memory of 2720	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	BtZCvZT.exe
PID 2180 wrote to memory of 1716	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	MHHzhJX.exe
PID 2180 wrote to memory of 1716	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	MHHzhJX.exe
PID 2180 wrote to memory of 1716	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	MHHzhJX.exe
PID 2180 wrote to memory of 2732	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	yzzLced.exe
PID 2180 wrote to memory of 2732	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	yzzLced.exe
PID 2180 wrote to memory of 2732	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	yzzLced.exe
PID 2180 wrote to memory of 748	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	RxOQBrH.exe
PID 2180 wrote to memory of 748	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	RxOQBrH.exe
PID 2180 wrote to memory of 748	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	RxOQBrH.exe
PID 2180 wrote to memory of 1636	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	LjnvaPq.exe
PID 2180 wrote to memory of 1636	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	LjnvaPq.exe
PID 2180 wrote to memory of 1636	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	LjnvaPq.exe
PID 2180 wrote to memory of 1584	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	oWYMlSg.exe
PID 2180 wrote to memory of 1584	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	oWYMlSg.exe
PID 2180 wrote to memory of 1584	2180	2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe	oWYMlSg.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-19_c991960b73befe24c233628bb03cb063_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\System\KfIacKA.exe
C:\Windows\System\KfIacKA.exe
2⤵
- Executes dropped EXE
PID:3048

C:\Windows\System\YRdxLmq.exe
C:\Windows\System\YRdxLmq.exe
2⤵
- Executes dropped EXE
PID:3060

C:\Windows\System\cIFXqJl.exe
C:\Windows\System\cIFXqJl.exe
2⤵
- Executes dropped EXE
PID:2240

C:\Windows\System\EwvHYAR.exe
C:\Windows\System\EwvHYAR.exe
2⤵
- Executes dropped EXE
PID:2628

C:\Windows\System\AEHpvyy.exe
C:\Windows\System\AEHpvyy.exe
2⤵
- Executes dropped EXE
PID:2792

C:\Windows\System\jTXTQWv.exe
C:\Windows\System\jTXTQWv.exe
2⤵
- Executes dropped EXE
PID:2676

C:\Windows\System\enCecjp.exe
C:\Windows\System\enCecjp.exe
2⤵
- Executes dropped EXE
PID:2784

C:\Windows\System\bmYOZsn.exe
C:\Windows\System\bmYOZsn.exe
2⤵
- Executes dropped EXE
PID:3068

C:\Windows\System\baXdWiy.exe
C:\Windows\System\baXdWiy.exe
2⤵
- Executes dropped EXE
PID:2632

C:\Windows\System\zxdtLjf.exe
C:\Windows\System\zxdtLjf.exe
2⤵
- Executes dropped EXE
PID:2512

C:\Windows\System\cXaEFTm.exe
C:\Windows\System\cXaEFTm.exe
2⤵
- Executes dropped EXE
PID:2588

C:\Windows\System\iobtENf.exe
C:\Windows\System\iobtENf.exe
2⤵
- Executes dropped EXE
PID:1616

C:\Windows\System\EgFTscb.exe
C:\Windows\System\EgFTscb.exe
2⤵
- Executes dropped EXE
PID:2880

C:\Windows\System\SGqCZgB.exe
C:\Windows\System\SGqCZgB.exe
2⤵
- Executes dropped EXE
PID:2964

C:\Windows\System\APSxSJs.exe
C:\Windows\System\APSxSJs.exe
2⤵
- Executes dropped EXE
PID:1516

C:\Windows\System\BtZCvZT.exe
C:\Windows\System\BtZCvZT.exe
2⤵
- Executes dropped EXE
PID:2720

C:\Windows\System\MHHzhJX.exe
C:\Windows\System\MHHzhJX.exe
2⤵
- Executes dropped EXE
PID:1716

C:\Windows\System\yzzLced.exe
C:\Windows\System\yzzLced.exe
2⤵
- Executes dropped EXE
PID:2732

C:\Windows\System\RxOQBrH.exe
C:\Windows\System\RxOQBrH.exe
2⤵
- Executes dropped EXE
PID:748

C:\Windows\System\LjnvaPq.exe
C:\Windows\System\LjnvaPq.exe
2⤵
- Executes dropped EXE
PID:1636

C:\Windows\System\oWYMlSg.exe
C:\Windows\System\oWYMlSg.exe
2⤵
- Executes dropped EXE
PID:1584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\APSxSJs.exe

Filesize
5.2MB

MD5
0a73bc7d6d30fd3858bf85a7dcee09a2

SHA1
ae263fb0ef1f9fd45795d3c40d2624ceb9961b5d

SHA256
2575e10aae26cedb046f6124c20aacf486231a7b399c01bc38739466d5ebf62b

SHA512
46a8eb6c5b017852410a2c08ea06f967eb2af4b2e19c04e360c92c42f185205a17a82f64c911c8a9336290c5234e7364b02c38e14c90f99bbaa2eb72e84f5a56

Download Submit
C:\Windows\system\BtZCvZT.exe

Filesize
5.2MB

MD5
40d14756a9a5ff79fe8c9aa9a7bac863

SHA1
a72e4ef946a30727f6099e2c95f826fa1f6b1bcb

SHA256
d9aab8f4b153952c46267c265d2d2483bb21e26ab789a05bb3bf246d7267c5d6

SHA512
5d3e7f47ea59d25a03f91352155d16f9fb418e9b2c12e7a592ff4371497f256e9ae38a168e9c4f733f65a8af4f50841e97ead10d848449b02703e71e72555653

Download Submit
C:\Windows\system\EgFTscb.exe

Filesize
5.2MB

MD5
0a1cae55d8eec7af35126e6240889e6f

SHA1
cc6a5c49e85f0049e045cefaddb758519612905e

SHA256
2b46f96cb88c398dcdbe04630dbd60669105adf622abaa275dd56d77fcdeb5d6

SHA512
4d3759a0a98b69d4f3cfabfe43d3076443299c4e753cb01475f963ea1d2509178ca443f72f662b44bd96303b2970efc9e70640d0d0d99b2a31e3bf113d447ffa

Download Submit
C:\Windows\system\EwvHYAR.exe

Filesize
5.2MB

MD5
5a98cd1fd5d8d14621d22a79ea3ea3d1

SHA1
fff76bdad1b9510d74c048fe981679be58ba92c1

SHA256
0fc4dbffb1bc96294292ece8e43e7775d1c1246a96408cfc37a901dce47246c6

SHA512
1b91a19ed6c0b5cbcebc8d52c7a3cb6496ca14b95e076e92edd7f58cdc9cbdde844fa5e806f9502ef4ec2b6ad0877a1f31503f89cae5b299ca17b35267bb6633

Download Submit
C:\Windows\system\MHHzhJX.exe

Filesize
5.2MB

MD5
0279bf25e8b2ec74b3b675168b458231

SHA1
a377e52fd3ae29549ec71dd92e193496ce74be03

SHA256
344a7d9cf060ab09513bfc5588bf09bf48fb5d5bd8e5977e8800009043fc73fb

SHA512
4333ab81d622ef0b29435dae908f39716caee1f30c4362d1cb98c17ddb73696b5d2152fd909446eb36b244c523c9793d5c76f03690968597a92da9c8e2e17107

Download Submit
C:\Windows\system\RxOQBrH.exe

Filesize
5.2MB

MD5
b39a1eaebf1a5819fbb0c9698d94da2b

SHA1
7450022b16c79358787929146a13de3e9a9ef2bd

SHA256
207537963f5ac7e7d4d8e3f6f023794f088dc54b424465d2c5d105b3ab678d28

SHA512
345b97b9527f79d9be53fc02018161935b99974d916c78c809fd7e095eef0421beffcdc6c77914dad20ce8087c4edd8c165893601bb1666bda836e8f7f8d5dfb

Download Submit
C:\Windows\system\baXdWiy.exe

Filesize
5.2MB

MD5
c692e20033d8a68c6cdedb219ec8c4b1

SHA1
68e5689368146690fabcc116f1252df2f6f76e7b

SHA256
20af853ca2887e2b3331ac026cad93bdf3da8dd30592b40bb301ea3716007cff

SHA512
66f99a4ed9b4c724bf076b7aee76bf593d3941ee2984a54e88538231a265470ddb85fcb90ec5857fe022ccbc4adb529e08d5d4076d40159bd859a043e0e1a82a

Download Submit
C:\Windows\system\bmYOZsn.exe

Filesize
5.2MB

MD5
d6af12fe1fe941aa497c2f59ca027d21

SHA1
c038c51b07343567fcdbec80379181cb2048ce70

SHA256
ce122501a0e3761d3a352a8ef2e8c16767cd8575a6de4ef09ab34dc22ce21909

SHA512
161c22b1f842fb5a79432f9ea8e46884aca5506fe7d42e1068443624426856f5980a628bb6b6e95d95d26a4406974dee2bd179239033a6c608a41988ea6073f9

Download Submit
C:\Windows\system\cXaEFTm.exe

Filesize
5.2MB

MD5
1e7d4fe15b15c87d6a4592ca9e07e93d

SHA1
b69bc88f49c07e5867a382cddd1fc704bc204d79

SHA256
2c61ab629eee3fbb4e5b29e96ce4d47c1906c2dc5d90f8b98e6d79669032a47d

SHA512
5e2b6934836be2316c2135e9a37a50f1f1d6d9ae3f9342ab758ecb6e9140e809abebbd50c91d3d05976bd1a00d9f50c10f8ba3e9b6d8eb3cb5e746a3a85fa084

Download Submit
C:\Windows\system\enCecjp.exe

Filesize
5.2MB

MD5
452e7bdd2a7e3613e7c962d0112b2063

SHA1
d46249b37ed367f39d9bb5d5f6ab4c7972cf3b25

SHA256
8f4aad3f879927362dbfbb68709402470e29fc310aa17b19933460e2b0954e80

SHA512
275316f3d5332fdea7834eb449c9dc50467a59f0db85c14d2ba8b2602ebf6e8d818769d06736e89ab1f0b2d14ab31269ce063cb533ff86fed7a4edc9c09bbdec

Download Submit
C:\Windows\system\iobtENf.exe

Filesize
5.2MB

MD5
cfa403ede1768eb428b7f51a77ebc3d6

SHA1
375202cc7f3dc13b864e59db6a18206fdd425f77

SHA256
ccc91520a529aca238f8b284870969777ffb4e0cebd4894121ba2c98181171b8

SHA512
88cb15f34570e70f48a0c007a33c3845703b0f07e0ae448962d3795215b2ef67edc45d4b97f94d465622d55feffb71d899d565504c6179ab7843d152965250b3

Download Submit
C:\Windows\system\yzzLced.exe

Filesize
5.2MB

MD5
fb8a3a25dc7590e4ea8bdd7987dcc540

SHA1
892dfb64a35d6d104f7102489a0efa8246f9ea3d

SHA256
7ee56d4ff15c37873807f8216734dd036d071e54e6161bd77bf81fcb04414d9c

SHA512
e997dc4da2210cd2c3a53ff956d9f222589f448ddeed75fe742e1a832f88c7a2e904260edf89ed91621b7533567dbd5934466c24419b1e58c343db3f5c384e73

Download Submit
C:\Windows\system\zxdtLjf.exe

Filesize
5.2MB

MD5
e3ed4acd6237243bea0a644591f7c598

SHA1
b909c084d309dfdfee7c8d9bb7d0d5e429fd859a

SHA256
b76a252383f7e709ed4aedf9d2fc55da059bc4ec79236d7c06506868542046c4

SHA512
018e3dfcf6b13f3a0259468f2b71e3a67d7b545d316fed33e526defd4275c1721d1d72fd5024516ebc24dc0ca7e4b94dd07a7dac1f420c0b8bb03ea10fef498f

Download Submit
\Windows\system\AEHpvyy.exe

Filesize
5.2MB

MD5
650ca8d210b6ad1a05deabf0d4cb30ab

SHA1
2471b9e88204fe48f000580e5ef7f96f75f6c51a

SHA256
7e24bd25fab53bbd9229153dfa749386a2dc13c90679203317e0c67fe2a60f4c

SHA512
42b6b16165f0707bfb0b29a8ddb5ea5c01c10b3a5998614c7de6b8b3f03784b59e14b4517274daee0c0c141fb3e837ca21702c1a548ec5a0306f5de160553667

Download Submit
\Windows\system\KfIacKA.exe

Filesize
5.2MB

MD5
4b770003d99c89eea71748e544eb5246

SHA1
349c807622ad3b934c2faab0c164c79eb6ea75b3

SHA256
c8cf66c5e75f8ab5a31972860375d5eaf39a8df60f67494ce4721e4f7153a560

SHA512
f34456d1f13862c5170f779e3f5ae6b9af35eb4630688b108c9a27bf22a8f525c208c26f76cc6bff35b5140e3ed76d6ceff42a0457aeb930b69e606cbc5f84ac

Download Submit
\Windows\system\LjnvaPq.exe

Filesize
5.2MB

MD5
d508634ea119ef1a8b1ecc8f6a33d2ec

SHA1
72fd29c80c1df07df2d4f414ddd05b73a7847bbe

SHA256
a76f08e84b2807dcfa159de66105dc4d4a9f7309ba64fd3845fc16a9d4966261

SHA512
6101611d1ed3f3d069ae4e96e4e4c880a268c76efdec0e4583e53c2b21fe8a2ceb3af6be15d2a5e0336acbcdcf0f2c5913eccd13da2b5c7a747dd03590169239

Download Submit
\Windows\system\SGqCZgB.exe

Filesize
5.2MB

MD5
4d9f746360458d6af8e62a35ba221143

SHA1
41673dd033930833150bb894780001597094ec86

SHA256
879749b38f677e90928da2551b942f42746f84003c147b41eb96477b41e47253

SHA512
70f2f5740ed37e4a28f33b8c783accda219ebea7b15339065924e2f8c24467ef50b1bcb3a5271ec3337dbf049d04d983ae236ee0e69452d33c2c764bbf601910

Download Submit
\Windows\system\YRdxLmq.exe

Filesize
5.2MB

MD5
a6cbf7a404c59b84bc1bba645514876c

SHA1
d39424d135f5ea4fa1973385a96fd2287083add7

SHA256
a1fd3a2d92f7525dfba6bfcf1656430903b4935d9c41ca0750f2c631b19a46c1

SHA512
08df68baa1a61cfd131447a1c1b9a4437525fddfc38deec50aa06e55fcd4d83452305d61380b5cacfea3623a6c8736295fdedec0c9a97083942fca4344b34829

Download Submit
\Windows\system\cIFXqJl.exe

Filesize
5.2MB

MD5
199632a230a1ac063453a8a1fdcb35af

SHA1
6cd7c13b2cd190d03f43dc71e16caf8afdc75f36

SHA256
7e954d7baa3b2ab0b356cd94eb576af2a8da9833d871fea455fdb9c9f9a4085b

SHA512
c54849667c1f7e69633752dc5378ed4fb18fee6d01dcc323fb03b09f035d757a97e7dfe73467b85bf40cf716976f9a0edd34c35700d18a1747d0797343cbf326

Download Submit
\Windows\system\jTXTQWv.exe

Filesize
5.2MB

MD5
50fd60c58fbf93174c5486aa642e9077

SHA1
c2b0e4d23a552a120cdff5f74caa95ae3394c917

SHA256
f8a3aa6719a1a10446db975bf3fff62095966577ee844c61e748820f6fda953a

SHA512
ebb6e6997a9c772ec3183a57fac885b92577ab2e6d68633650a04535353fb909336fefa94cc198a31db8748d918c039e68dfc29ed265b9a8292585525e81c8ac

Download Submit
\Windows\system\oWYMlSg.exe

Filesize
5.2MB

MD5
57d326e33a7aa26743dffb185e75074e

SHA1
1f29e9cae739249e5a14200962f4adb13bbf71b0

SHA256
157247d77126776e64997ece9eaf38a5bdabc823872879082b0be50a4dce1b86

SHA512
04845d5be112b6c5097dde35f775d51c731fca6b328413b05fe2abdd5d51530b42d7b82c373b05fb5e8788e8ff2e5519e0a71e6daf2e177085cbbaba297999e9

Download Submit
memory/748-156-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/1516-152-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/1584-158-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/1616-149-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-78-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-238-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/1636-157-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/1716-154-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/2180-160-0x000000013F8F0000-0x000000013FC41000-memory.dmp

Filesize
3.3MB

Download
memory/2180-183-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/2180-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2180-83-0x0000000002220000-0x0000000002571000-memory.dmp

Filesize
3.3MB

Download
memory/2180-167-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-77-0x0000000002220000-0x0000000002571000-memory.dmp

Filesize
3.3MB

Download
memory/2180-76-0x000000013F8F0000-0x000000013FC41000-memory.dmp

Filesize
3.3MB

Download
memory/2180-87-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-69-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2180-159-0x0000000002220000-0x0000000002571000-memory.dmp

Filesize
3.3MB

Download
memory/2180-6-0x000000013F0C0000-0x000000013F411000-memory.dmp

Filesize
3.3MB

Download
memory/2180-35-0x0000000002220000-0x0000000002571000-memory.dmp

Filesize
3.3MB

Download
memory/2180-0-0x000000013F8F0000-0x000000013FC41000-memory.dmp

Filesize
3.3MB

Download
memory/2180-48-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-54-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2180-37-0x0000000002220000-0x0000000002571000-memory.dmp

Filesize
3.3MB

Download
memory/2180-38-0x0000000002220000-0x0000000002571000-memory.dmp

Filesize
3.3MB

Download
memory/2180-136-0x000000013F8F0000-0x000000013FC41000-memory.dmp

Filesize
3.3MB

Download
memory/2180-40-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-96-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/2180-25-0x0000000002220000-0x0000000002571000-memory.dmp

Filesize
3.3MB

Download
memory/2240-212-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/2240-32-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/2512-237-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/2512-148-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/2512-65-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/2588-147-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2588-253-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2588-70-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2628-36-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2628-213-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2632-249-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-145-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-60-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2676-41-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/2676-215-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/2720-153-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/2732-155-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2784-143-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2784-247-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2784-49-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-43-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2792-141-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2792-245-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2880-150-0x000000013F780000-0x000000013FAD1000-memory.dmp

Filesize
3.3MB

Download
memory/2880-252-0x000000013F780000-0x000000013FAD1000-memory.dmp

Filesize
3.3MB

Download
memory/2880-84-0x000000013F780000-0x000000013FAD1000-memory.dmp

Filesize
3.3MB

Download
memory/2964-90-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2964-151-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2964-241-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/3048-210-0x000000013F0C0000-0x000000013F411000-memory.dmp

Filesize
3.3MB

Download
memory/3048-82-0x000000013F0C0000-0x000000013F411000-memory.dmp

Filesize
3.3MB

Download
memory/3048-21-0x000000013F0C0000-0x000000013F411000-memory.dmp

Filesize
3.3MB

Download
memory/3060-28-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/3060-207-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-55-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/3068-144-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/3068-234-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download