cobaltstrike | 93bd0cfdd978bb8fc25f8a38159c5d98099a535b6bb8e61b3090b49d4788da74

Analysis

max time kernel
140s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
Size

6.0MB
MD5

185340b4bad04bfd6d6a45332d68a84c
SHA1

153867594b7e802ef92b0eb67a02c4b67d42f459
SHA256

93bd0cfdd978bb8fc25f8a38159c5d98099a535b6bb8e61b3090b49d4788da74
SHA512

94317f5b79f183369fb2442c632e83b61b99cc3d44e8395c93d45df5f599a09c420c4da2cb26e46987e5083fe06c23b2f3ab5737a86672ef9c77daa1a28e1029
SSDEEP

98304:demTLkNdfE0pZ3656utgpPFotBER/mQ32lUQ:E+v56utgpPF8u/7Q

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\ZhpUPwH.exe	cobalt_reflective_dll
\Windows\system\uTJdyUw.exe	cobalt_reflective_dll
C:\Windows\system\aRzZytM.exe	cobalt_reflective_dll
C:\Windows\system\OVgJUPM.exe	cobalt_reflective_dll
C:\Windows\system\gVeLcxi.exe	cobalt_reflective_dll
\Windows\system\UYmjbwL.exe	cobalt_reflective_dll
\Windows\system\IeUkKeG.exe	cobalt_reflective_dll
C:\Windows\system\atlzPeb.exe	cobalt_reflective_dll
\Windows\system\sOGFHJG.exe	cobalt_reflective_dll
C:\Windows\system\kFXgoHl.exe	cobalt_reflective_dll
\Windows\system\idmptzP.exe	cobalt_reflective_dll
C:\Windows\system\eRSsTgV.exe	cobalt_reflective_dll
\Windows\system\zXHwzsl.exe	cobalt_reflective_dll
\Windows\system\UDyEMZG.exe	cobalt_reflective_dll
\Windows\system\makrXnK.exe	cobalt_reflective_dll
C:\Windows\system\lhepcgC.exe	cobalt_reflective_dll
C:\Windows\system\OZcQwIC.exe	cobalt_reflective_dll
C:\Windows\system\EIgcSJJ.exe	cobalt_reflective_dll
C:\Windows\system\iVxUVrK.exe	cobalt_reflective_dll
C:\Windows\system\rypgJFe.exe	cobalt_reflective_dll
C:\Windows\system\Juqchjf.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\ZhpUPwH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\uTJdyUw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\aRzZytM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OVgJUPM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gVeLcxi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\UYmjbwL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\IeUkKeG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\atlzPeb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\sOGFHJG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kFXgoHl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\idmptzP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\eRSsTgV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\zXHwzsl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\UDyEMZG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\makrXnK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lhepcgC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OZcQwIC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EIgcSJJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iVxUVrK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\rypgJFe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\Juqchjf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 48 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2888-0-0x000000013FD40000-0x0000000140094000-memory.dmp	UPX
C:\Windows\system\ZhpUPwH.exe	UPX
\Windows\system\uTJdyUw.exe	UPX
behavioral1/memory/2880-19-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
C:\Windows\system\aRzZytM.exe	UPX
C:\Windows\system\OVgJUPM.exe	UPX
behavioral1/memory/940-103-0x000000013F220000-0x000000013F574000-memory.dmp	UPX
C:\Windows\system\gVeLcxi.exe	UPX
\Windows\system\UYmjbwL.exe	UPX
\Windows\system\IeUkKeG.exe	UPX
C:\Windows\system\atlzPeb.exe	UPX
\Windows\system\sOGFHJG.exe	UPX
C:\Windows\system\kFXgoHl.exe	UPX
\Windows\system\idmptzP.exe	UPX
C:\Windows\system\eRSsTgV.exe	UPX
\Windows\system\zXHwzsl.exe	UPX
behavioral1/memory/2652-48-0x000000013F620000-0x000000013F974000-memory.dmp	UPX
\Windows\system\UDyEMZG.exe	UPX
\Windows\system\makrXnK.exe	UPX
C:\Windows\system\lhepcgC.exe	UPX
C:\Windows\system\OZcQwIC.exe	UPX
behavioral1/memory/280-97-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2836-89-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/2888-134-0x000000013FD40000-0x0000000140094000-memory.dmp	UPX
behavioral1/memory/2392-82-0x000000013FC90000-0x000000013FFE4000-memory.dmp	UPX
C:\Windows\system\EIgcSJJ.exe	UPX
behavioral1/memory/1776-70-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
behavioral1/memory/2624-44-0x000000013F400000-0x000000013F754000-memory.dmp	UPX
C:\Windows\system\iVxUVrK.exe	UPX
C:\Windows\system\rypgJFe.exe	UPX
behavioral1/memory/2580-29-0x000000013FC50000-0x000000013FFA4000-memory.dmp	UPX
behavioral1/memory/2484-26-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
C:\Windows\system\Juqchjf.exe	UPX
behavioral1/memory/2844-17-0x000000013FDA0000-0x00000001400F4000-memory.dmp	UPX
behavioral1/memory/2580-136-0x000000013FC50000-0x000000013FFA4000-memory.dmp	UPX
behavioral1/memory/2652-137-0x000000013F620000-0x000000013F974000-memory.dmp	UPX
behavioral1/memory/2392-139-0x000000013FC90000-0x000000013FFE4000-memory.dmp	UPX
behavioral1/memory/2844-140-0x000000013FDA0000-0x00000001400F4000-memory.dmp	UPX
behavioral1/memory/2484-142-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/2880-141-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/2624-143-0x000000013F400000-0x000000013F754000-memory.dmp	UPX
behavioral1/memory/2580-144-0x000000013FC50000-0x000000013FFA4000-memory.dmp	UPX
behavioral1/memory/1776-145-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
behavioral1/memory/2652-146-0x000000013F620000-0x000000013F974000-memory.dmp	UPX
behavioral1/memory/2836-147-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/280-148-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/940-149-0x000000013F220000-0x000000013F574000-memory.dmp	UPX
behavioral1/memory/2392-150-0x000000013FC90000-0x000000013FFE4000-memory.dmp	UPX

XMRig Miner payload 51 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2888-0-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
C:\Windows\system\ZhpUPwH.exe	xmrig
\Windows\system\uTJdyUw.exe	xmrig
behavioral1/memory/2880-19-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
C:\Windows\system\aRzZytM.exe	xmrig
C:\Windows\system\OVgJUPM.exe	xmrig
behavioral1/memory/940-103-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
C:\Windows\system\gVeLcxi.exe	xmrig
\Windows\system\UYmjbwL.exe	xmrig
\Windows\system\IeUkKeG.exe	xmrig
behavioral1/memory/2888-76-0x0000000002380000-0x00000000026D4000-memory.dmp	xmrig
C:\Windows\system\atlzPeb.exe	xmrig
\Windows\system\sOGFHJG.exe	xmrig
C:\Windows\system\kFXgoHl.exe	xmrig
\Windows\system\idmptzP.exe	xmrig
C:\Windows\system\eRSsTgV.exe	xmrig
\Windows\system\zXHwzsl.exe	xmrig
behavioral1/memory/2652-48-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
\Windows\system\UDyEMZG.exe	xmrig
\Windows\system\makrXnK.exe	xmrig
C:\Windows\system\lhepcgC.exe	xmrig
C:\Windows\system\OZcQwIC.exe	xmrig
behavioral1/memory/280-97-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2836-89-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2888-134-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/2392-82-0x000000013FC90000-0x000000013FFE4000-memory.dmp	xmrig
C:\Windows\system\EIgcSJJ.exe	xmrig
behavioral1/memory/1776-70-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/2888-61-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2624-44-0x000000013F400000-0x000000013F754000-memory.dmp	xmrig
C:\Windows\system\iVxUVrK.exe	xmrig
C:\Windows\system\rypgJFe.exe	xmrig
behavioral1/memory/2580-29-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
behavioral1/memory/2888-27-0x0000000002380000-0x00000000026D4000-memory.dmp	xmrig
behavioral1/memory/2484-26-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
C:\Windows\system\Juqchjf.exe	xmrig
behavioral1/memory/2844-17-0x000000013FDA0000-0x00000001400F4000-memory.dmp	xmrig
behavioral1/memory/2580-136-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
behavioral1/memory/2652-137-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/2392-139-0x000000013FC90000-0x000000013FFE4000-memory.dmp	xmrig
behavioral1/memory/2844-140-0x000000013FDA0000-0x00000001400F4000-memory.dmp	xmrig
behavioral1/memory/2484-142-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/2880-141-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/2624-143-0x000000013F400000-0x000000013F754000-memory.dmp	xmrig
behavioral1/memory/2580-144-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
behavioral1/memory/1776-145-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/2652-146-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/2836-147-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/280-148-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/940-149-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/memory/2392-150-0x000000013FC90000-0x000000013FFE4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

ZhpUPwH.exeuTJdyUw.exeJuqchjf.exeaRzZytM.exerypgJFe.exeiVxUVrK.exeeRSsTgV.exekFXgoHl.exeatlzPeb.exeEIgcSJJ.exegVeLcxi.exeOZcQwIC.exelhepcgC.exemakrXnK.exeUDyEMZG.exezXHwzsl.exeidmptzP.exesOGFHJG.exeIeUkKeG.exeUYmjbwL.exeOVgJUPM.exe

pid	process
2844	ZhpUPwH.exe
2880	uTJdyUw.exe
2484	Juqchjf.exe
2580	aRzZytM.exe
2624	rypgJFe.exe
2652	iVxUVrK.exe
1776	eRSsTgV.exe
2392	kFXgoHl.exe
2836	atlzPeb.exe
280	EIgcSJJ.exe
940	gVeLcxi.exe
1200	OZcQwIC.exe
2636	lhepcgC.exe
2884	makrXnK.exe
2460	UDyEMZG.exe
2488	zXHwzsl.exe
2448	idmptzP.exe
2324	sOGFHJG.exe
1340	IeUkKeG.exe
2180	UYmjbwL.exe
2632	OVgJUPM.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe

pid	process
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2888-0-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
C:\Windows\system\ZhpUPwH.exe	upx
\Windows\system\uTJdyUw.exe	upx
behavioral1/memory/2880-19-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
C:\Windows\system\aRzZytM.exe	upx
C:\Windows\system\OVgJUPM.exe	upx
behavioral1/memory/940-103-0x000000013F220000-0x000000013F574000-memory.dmp	upx
C:\Windows\system\gVeLcxi.exe	upx
\Windows\system\UYmjbwL.exe	upx
\Windows\system\IeUkKeG.exe	upx
C:\Windows\system\atlzPeb.exe	upx
\Windows\system\sOGFHJG.exe	upx
C:\Windows\system\kFXgoHl.exe	upx
\Windows\system\idmptzP.exe	upx
C:\Windows\system\eRSsTgV.exe	upx
\Windows\system\zXHwzsl.exe	upx
behavioral1/memory/2652-48-0x000000013F620000-0x000000013F974000-memory.dmp	upx
\Windows\system\UDyEMZG.exe	upx
\Windows\system\makrXnK.exe	upx
C:\Windows\system\lhepcgC.exe	upx
C:\Windows\system\OZcQwIC.exe	upx
behavioral1/memory/280-97-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2836-89-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2888-134-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/2392-82-0x000000013FC90000-0x000000013FFE4000-memory.dmp	upx
C:\Windows\system\EIgcSJJ.exe	upx
behavioral1/memory/1776-70-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/memory/2624-44-0x000000013F400000-0x000000013F754000-memory.dmp	upx
C:\Windows\system\iVxUVrK.exe	upx
C:\Windows\system\rypgJFe.exe	upx
behavioral1/memory/2580-29-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/memory/2484-26-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
C:\Windows\system\Juqchjf.exe	upx
behavioral1/memory/2844-17-0x000000013FDA0000-0x00000001400F4000-memory.dmp	upx
behavioral1/memory/2580-136-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/memory/2652-137-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/memory/2392-139-0x000000013FC90000-0x000000013FFE4000-memory.dmp	upx
behavioral1/memory/2844-140-0x000000013FDA0000-0x00000001400F4000-memory.dmp	upx
behavioral1/memory/2484-142-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/2880-141-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/2624-143-0x000000013F400000-0x000000013F754000-memory.dmp	upx
behavioral1/memory/2580-144-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/memory/1776-145-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/memory/2652-146-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/memory/2836-147-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/280-148-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/940-149-0x000000013F220000-0x000000013F574000-memory.dmp	upx
behavioral1/memory/2392-150-0x000000013FC90000-0x000000013FFE4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\makrXnK.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eRSsTgV.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kFXgoHl.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OZcQwIC.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OVgJUPM.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uTJdyUw.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Juqchjf.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UDyEMZG.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\atlzPeb.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aRzZytM.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rypgJFe.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UYmjbwL.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EIgcSJJ.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IeUkKeG.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zXHwzsl.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\idmptzP.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sOGFHJG.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gVeLcxi.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lhepcgC.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZhpUPwH.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iVxUVrK.exe	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2888 wrote to memory of 2844	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	ZhpUPwH.exe
PID 2888 wrote to memory of 2844	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	ZhpUPwH.exe
PID 2888 wrote to memory of 2844	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	ZhpUPwH.exe
PID 2888 wrote to memory of 2880	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	uTJdyUw.exe
PID 2888 wrote to memory of 2880	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	uTJdyUw.exe
PID 2888 wrote to memory of 2880	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	uTJdyUw.exe
PID 2888 wrote to memory of 2484	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	Juqchjf.exe
PID 2888 wrote to memory of 2484	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	Juqchjf.exe
PID 2888 wrote to memory of 2484	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	Juqchjf.exe
PID 2888 wrote to memory of 2580	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	aRzZytM.exe
PID 2888 wrote to memory of 2580	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	aRzZytM.exe
PID 2888 wrote to memory of 2580	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	aRzZytM.exe
PID 2888 wrote to memory of 2624	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	rypgJFe.exe
PID 2888 wrote to memory of 2624	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	rypgJFe.exe
PID 2888 wrote to memory of 2624	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	rypgJFe.exe
PID 2888 wrote to memory of 2884	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	makrXnK.exe
PID 2888 wrote to memory of 2884	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	makrXnK.exe
PID 2888 wrote to memory of 2884	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	makrXnK.exe
PID 2888 wrote to memory of 2652	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	iVxUVrK.exe
PID 2888 wrote to memory of 2652	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	iVxUVrK.exe
PID 2888 wrote to memory of 2652	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	iVxUVrK.exe
PID 2888 wrote to memory of 2460	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	UDyEMZG.exe
PID 2888 wrote to memory of 2460	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	UDyEMZG.exe
PID 2888 wrote to memory of 2460	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	UDyEMZG.exe
PID 2888 wrote to memory of 1776	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	eRSsTgV.exe
PID 2888 wrote to memory of 1776	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	eRSsTgV.exe
PID 2888 wrote to memory of 1776	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	eRSsTgV.exe
PID 2888 wrote to memory of 2488	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	zXHwzsl.exe
PID 2888 wrote to memory of 2488	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	zXHwzsl.exe
PID 2888 wrote to memory of 2488	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	zXHwzsl.exe
PID 2888 wrote to memory of 2392	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	kFXgoHl.exe
PID 2888 wrote to memory of 2392	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	kFXgoHl.exe
PID 2888 wrote to memory of 2392	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	kFXgoHl.exe
PID 2888 wrote to memory of 2448	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	idmptzP.exe
PID 2888 wrote to memory of 2448	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	idmptzP.exe
PID 2888 wrote to memory of 2448	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	idmptzP.exe
PID 2888 wrote to memory of 2836	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	atlzPeb.exe
PID 2888 wrote to memory of 2836	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	atlzPeb.exe
PID 2888 wrote to memory of 2836	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	atlzPeb.exe
PID 2888 wrote to memory of 2324	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	sOGFHJG.exe
PID 2888 wrote to memory of 2324	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	sOGFHJG.exe
PID 2888 wrote to memory of 2324	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	sOGFHJG.exe
PID 2888 wrote to memory of 280	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	EIgcSJJ.exe
PID 2888 wrote to memory of 280	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	EIgcSJJ.exe
PID 2888 wrote to memory of 280	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	EIgcSJJ.exe
PID 2888 wrote to memory of 1340	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	IeUkKeG.exe
PID 2888 wrote to memory of 1340	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	IeUkKeG.exe
PID 2888 wrote to memory of 1340	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	IeUkKeG.exe
PID 2888 wrote to memory of 940	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	gVeLcxi.exe
PID 2888 wrote to memory of 940	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	gVeLcxi.exe
PID 2888 wrote to memory of 940	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	gVeLcxi.exe
PID 2888 wrote to memory of 2180	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	UYmjbwL.exe
PID 2888 wrote to memory of 2180	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	UYmjbwL.exe
PID 2888 wrote to memory of 2180	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	UYmjbwL.exe
PID 2888 wrote to memory of 1200	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	OZcQwIC.exe
PID 2888 wrote to memory of 1200	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	OZcQwIC.exe
PID 2888 wrote to memory of 1200	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	OZcQwIC.exe
PID 2888 wrote to memory of 2632	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	OVgJUPM.exe
PID 2888 wrote to memory of 2632	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	OVgJUPM.exe
PID 2888 wrote to memory of 2632	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	OVgJUPM.exe
PID 2888 wrote to memory of 2636	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	lhepcgC.exe
PID 2888 wrote to memory of 2636	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	lhepcgC.exe
PID 2888 wrote to memory of 2636	2888	2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe	lhepcgC.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_185340b4bad04bfd6d6a45332d68a84c_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\System\ZhpUPwH.exe
C:\Windows\System\ZhpUPwH.exe
2⤵
- Executes dropped EXE
PID:2844

C:\Windows\System\uTJdyUw.exe
C:\Windows\System\uTJdyUw.exe
2⤵
- Executes dropped EXE
PID:2880

C:\Windows\System\Juqchjf.exe
C:\Windows\System\Juqchjf.exe
2⤵
- Executes dropped EXE
PID:2484

C:\Windows\System\aRzZytM.exe
C:\Windows\System\aRzZytM.exe
2⤵
- Executes dropped EXE
PID:2580

C:\Windows\System\rypgJFe.exe
C:\Windows\System\rypgJFe.exe
2⤵
- Executes dropped EXE
PID:2624

C:\Windows\System\makrXnK.exe
C:\Windows\System\makrXnK.exe
2⤵
- Executes dropped EXE
PID:2884

C:\Windows\System\iVxUVrK.exe
C:\Windows\System\iVxUVrK.exe
2⤵
- Executes dropped EXE
PID:2652

C:\Windows\System\UDyEMZG.exe
C:\Windows\System\UDyEMZG.exe
2⤵
- Executes dropped EXE
PID:2460

C:\Windows\System\eRSsTgV.exe
C:\Windows\System\eRSsTgV.exe
2⤵
- Executes dropped EXE
PID:1776

C:\Windows\System\zXHwzsl.exe
C:\Windows\System\zXHwzsl.exe
2⤵
- Executes dropped EXE
PID:2488

C:\Windows\System\kFXgoHl.exe
C:\Windows\System\kFXgoHl.exe
2⤵
- Executes dropped EXE
PID:2392

C:\Windows\System\idmptzP.exe
C:\Windows\System\idmptzP.exe
2⤵
- Executes dropped EXE
PID:2448

C:\Windows\System\atlzPeb.exe
C:\Windows\System\atlzPeb.exe
2⤵
- Executes dropped EXE
PID:2836

C:\Windows\System\sOGFHJG.exe
C:\Windows\System\sOGFHJG.exe
2⤵
- Executes dropped EXE
PID:2324

C:\Windows\System\EIgcSJJ.exe
C:\Windows\System\EIgcSJJ.exe
2⤵
- Executes dropped EXE
PID:280

C:\Windows\System\IeUkKeG.exe
C:\Windows\System\IeUkKeG.exe
2⤵
- Executes dropped EXE
PID:1340

C:\Windows\System\gVeLcxi.exe
C:\Windows\System\gVeLcxi.exe
2⤵
- Executes dropped EXE
PID:940

C:\Windows\System\UYmjbwL.exe
C:\Windows\System\UYmjbwL.exe
2⤵
- Executes dropped EXE
PID:2180

C:\Windows\System\OZcQwIC.exe
C:\Windows\System\OZcQwIC.exe
2⤵
- Executes dropped EXE
PID:1200

C:\Windows\System\OVgJUPM.exe
C:\Windows\System\OVgJUPM.exe
2⤵
- Executes dropped EXE
PID:2632

C:\Windows\System\lhepcgC.exe
C:\Windows\System\lhepcgC.exe
2⤵
- Executes dropped EXE
PID:2636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\EIgcSJJ.exe
Filesize
6.0MB

MD5
a40f7b933102f48d1baf954598407325

SHA1
2b12a3a44b4eca54001965f2e146c51f139f32f9

SHA256
43abe60bdc3d3f2651da369145cb504394e93c8e67621d1fec18090be682282b

SHA512
84da8b24ca015326e6d698d64320208ba78f17cf2783860bc17f072156b0df352d7237361694fbe0b4f85975e29210e0786eeef54ba44308ad160cb9f24bced6

Download Submit
C:\Windows\system\Juqchjf.exe
Filesize
6.0MB

MD5
9c816cf9d17945b50e7e479fd208e194

SHA1
8bb782c9a02998df44f3afd54327e8dd70693f54

SHA256
d094eda9bd70d2bbfd2747f2e73b842a3e238ba73b4c39303940311e6fda2208

SHA512
e2d600ca8690f47a60c55ef778a8d4f46e28ba126c9293865e099cec421544b3d43954063c08d29bf8dd82850cb4eff553ceb419c30558e1603bd23b8cf8a63e

Download Submit
C:\Windows\system\OVgJUPM.exe
Filesize
6.0MB

MD5
d553981948e1b4ca5dd1006c61de4a40

SHA1
62146a97cba570aa33fd9b40af1e06d088d3353f

SHA256
121f9e6482d0ace20bb3ca1cb2d3e7d164308535a51ac84be6bc6c518a543b47

SHA512
174677c880c9632c4a5e4b182d184c76ba53c0a0d2159147b55189f2ca41c8d496d72112260c12cae74b5eff0082432670fa7d78f67e92b42680a1e1945a33dd

Download Submit
C:\Windows\system\OZcQwIC.exe
Filesize
6.0MB

MD5
01b6464c099e951a5093cf8b9f78b37c

SHA1
4d31cda373ef1f65f8e49891849e6f9f46441b9a

SHA256
3aae16de7051b6a332c63f460aa130dc78c409b2041b3b2b3eefe6e83fd975de

SHA512
e0b2a9d76c1f6e9d291c6a93f95c6f0dfe52ecf075d18c437d1422ffa003cff8cd6e55535d9752f8b33a619870491e121ecd6901d827a3ae35aedcb580427979

Download Submit
C:\Windows\system\ZhpUPwH.exe
Filesize
6.0MB

MD5
d6b535b48d2d9651e0e213a7dcc78ee1

SHA1
a6f20353c1cb9430fd96547147c7b9c15f9612af

SHA256
46b3aa304178f83d36ff62fa79a30293c4a9f6e4bea35fbb9f929fea4bb19faa

SHA512
156b08a5bfbf0b75344501c20ef7bcff2a3c83cfcb0d4a15e54942256fb100b04908b3dd3c08a32cdeae2027e0d36f5d30a0a4706fb9eb91631cc3bb9baa4484

Download Submit
C:\Windows\system\aRzZytM.exe
Filesize
6.0MB

MD5
f288304341f60030bb122d24b7ebae47

SHA1
3991b54d3b2dce4db7f4af47a6a18f30893a4671

SHA256
957d08ec0ab5d3d790ae7f01bdc709ce86cb00ab27956e6174252e604692eafc

SHA512
b889d95838e5260f494491a40911a454d2d8a998a7e1548af88b51aca0e5d06d4d849b2328deaed959c459b14ca333b7294d2e34a94460bafb2bf2be9c5b8e9e

Download Submit
C:\Windows\system\atlzPeb.exe
Filesize
6.0MB

MD5
3154f0877409b2cc56ec452285624f3b

SHA1
2dfc42a330c68617c255f2fc88d4f1aab08e4dcd

SHA256
55a4e0d31091d829ce6b9c46dc7313a689aa55b04d8447868dfeaceb96f33726

SHA512
c416b687111c7deb217b00d0a26de505bcbef5fed2f7ce2cbf748bb478bfa2168557c0ed0bde3aa6c928b62c05ce76308336aa3651c7d7fe1c07988329f2d621

Download Submit
C:\Windows\system\eRSsTgV.exe
Filesize
6.0MB

MD5
3f5ed45d84cd2b98224e700cd57b1204

SHA1
910bdbb5cd3f2912f0addcdc5d2e511ea798bb8c

SHA256
770a00e52f1f827f40085853dcaff1b55e2acb400ea4344a26ee40c6ef0f1128

SHA512
278eaca231a1f9d1ffbe0ebbbdbf949eab14c6105cd30d32b8b1380521a3a053017eace5394a0e4c6cc08bf5dea8b16ffc3b6199eb3310967819214c2c30beac

Download Submit
C:\Windows\system\gVeLcxi.exe
Filesize
6.0MB

MD5
18ae555d9ae225c176ec20374fd02fa2

SHA1
5ace672a013cee5d695db285ce918588c6746653

SHA256
333ef43f50d9b5f6a1a3ebaaea483d41b81d368ab7a4628b03abd1491782a779

SHA512
1e85d5173b99849b727d205d14ae2721ab0d4903a6c84ba86920035491eb56b1d24b4f91f0911370e9b7b7d5235d5daad308c50d72668a2b3982df062fcc2186

Download Submit
C:\Windows\system\iVxUVrK.exe
Filesize
6.0MB

MD5
2d37e6af769442b1a848d7f7ec538036

SHA1
4d04d971fccb95c36dd8cbf05f0c66d0763d9652

SHA256
910d67abe0d882138d32eff16c39358eb23010bda2372592619ea39e0e4a93c7

SHA512
d90ce6fcfe148c7d8c0f4086f0c09ef4b5580be9d1226144260515ef5e46a875a0b9e64dd771704880cbe123e27a7771bba29519b86e9a108f9f6ef2eb5fa6c5

Download Submit
C:\Windows\system\kFXgoHl.exe
Filesize
6.0MB

MD5
2680c9a294d72e0bb93673ae8b7f1bd0

SHA1
5cd48951b01983a2093751a2d8a1c5a554371fe5

SHA256
498e02c49d4347079cfd9e06a43086cb43c4819cad808547aa6f5e3219dede72

SHA512
e5994908d12755404f3bd78327b88233f74a3e14ab45b2d789e13f96c33b1693215e892cc5d3d88bf1473d604133df403a1ee1bcb6c67da48655ecab59976593

Download Submit
C:\Windows\system\lhepcgC.exe
Filesize
6.0MB

MD5
27e128582274627176b79cd3594a6dea

SHA1
ff0981f05393bf2a56c684cef0d46e5693844ccd

SHA256
07b436c6f24476c35573f9d0fd4d3dc8f65e0aa141e69a03f4a81e55040e2e97

SHA512
db46f3f6b6aba12ebd83c338ff9ac67e014d2ef21c11c855bb58b8d1ea24067e4d87c5c0b238b05e8792bd871ee7eb06e057e10b080e434e0c3bf7d1b19c3bdc

Download Submit
C:\Windows\system\rypgJFe.exe
Filesize
6.0MB

MD5
9d2a94987ed309f288d97b4c6ac66bb3

SHA1
261fff5ad835f4a48a8b557782868caa917d40af

SHA256
0ff08890e29b46f8f535a22c055f9bb64afe9e26c3a75ff243df054a4d838dd7

SHA512
c5304f4cd22717fabe650b555f42106fb23321f5b8dad7b75dfce5deb38e3336d930de9e19a4431ae11da50196e43e2987557cf08258ff82163d58db40065a66

Download Submit
\Windows\system\IeUkKeG.exe
Filesize
6.0MB

MD5
7dfe34e3ec52bb68d693c7b9cfbdb3dc

SHA1
1c21f851fe16e35afcdab718dc340363fe2d6e7c

SHA256
2702e9232bc78ecfc430c7d1c2c6379be7df82fd94462d087f75e6e109d32a94

SHA512
9478b6f6ff2a44f94af8d0f7ff78bb33e2823e1954a2b1db686ab6ce6ee8d4068c06ab0efa291831728c5968d204f7bdf608d4c9046acedd8ac3a41e0b9bd11b

Download Submit
\Windows\system\UDyEMZG.exe
Filesize
6.0MB

MD5
53237e2e004b01d2dac73c2a3b32ab3d

SHA1
6c25b7eb8d7e256df81d30bbfeb837997dd911ef

SHA256
6a5291f94dae5ebe48d1df7c2ac35f163950e85a845ff21fd63c698bc333c407

SHA512
c881e8da50540df78bfe343bfbd0430943fbb54a711874bd610e6b0eebe816b82a64b1ffffccb09f5ee620dcf19af706f00590e39de3c00a56fd4dc4b60a6fd0

Download Submit
\Windows\system\UYmjbwL.exe
Filesize
6.0MB

MD5
dece0e22b2a3bfa9a07a0abc42f7ea13

SHA1
1e7f01da74c1894c310e1aa4d66a87f3bf22f4a5

SHA256
409f55dec367313658f14b578f553d996d895277d553ebb192fb84434efd7021

SHA512
e84c855f5c7d9d11952f72bbe1a3a116f0a3df9c652bbcee8537adc4726a6eab388109fdee6b39e05e9fd2c25e6a60aa1922adae456ed55fb612da168069b90c

Download Submit
\Windows\system\idmptzP.exe
Filesize
6.0MB

MD5
5cc355cafd37fb47eb303905f943ac04

SHA1
40ef7cf4c6bae7efdae89c2dcabb770d23938250

SHA256
a3e0e648f1e1af7cf68680a582d53254f6145c6155241b525bfe3a30e28c26ea

SHA512
808190b68e470827d7c35ddd5995ae18163ce170ad9aeb5a891c04b8686886218e36e1d4429a1710b1e2e3b7db9bbe574b985df8b6b54863f72b6558a10d752a

Download Submit
\Windows\system\makrXnK.exe
Filesize
6.0MB

MD5
7eee8caebfe80c36917f637ee85e9b5e

SHA1
86166bcb00aa5baf40dac9c7ac10466aa864b18b

SHA256
1d6a664f905fe81a8d3f21878a932d391f074cdec7a9f44a4861e1fbb8d52387

SHA512
c46b41c58818e4438fff726b176199a9d03d48a4b64eaaf3ee3ffd25de09eadc6151d1919b629e3cd4f0d05c3a712134c3fa2cd514067caebf04a8e50c85af32

Download Submit
\Windows\system\sOGFHJG.exe
Filesize
6.0MB

MD5
6df8dc93bfc8570380d67b14a166f139

SHA1
81ff25c78863c21880691ceb0d9b6d9a714b6c12

SHA256
f249f274a9e47bd943fcde14eeea907788732861138ff9a02f74ea05c971c203

SHA512
dffa13900a86d98bcfc3dee9e0b50ecc16cb6881118b48b574addd6035acefc9232935f034a33070c8e75fd1fadface736c34523c523fb2e969607388aa7a57d

Download Submit
\Windows\system\uTJdyUw.exe
Filesize
6.0MB

MD5
6ad844fd193c7ef16964f8a050a69f35

SHA1
ad0cea4273027daae050fe07cbfc613bbc358544

SHA256
7a8dd47bc1d17d8363974aa72253872e040172829e1145d5e17f273703347574

SHA512
c45a9499a8ffed1ca051a99efa42320a349cc66c57d9641ad5e355f81aa8eaf91e418a07b6d5c8ad314c863470f8a8476797739e57a85e1d16be213a064b388f

Download Submit
\Windows\system\zXHwzsl.exe
Filesize
6.0MB

MD5
93eabe68d6b4b0e3c8ec1e8a446fc980

SHA1
3b43d791e7f083b5fd87911da0a18a07428b7400

SHA256
4b400cd5ee455742ab26197855ec0f5e3871e6525f606e6002141537d4ca6522

SHA512
8521d5cabf645f265583f062a6ec01f3ca64074ef9f5aa5e39309a03e705c2f40ebdf36c5aea97a27062c680a4f531281e39a8f77041117819da945da5058bd6

Download Submit
memory/280-148-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/280-97-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/940-149-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/940-103-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/1776-145-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/1776-70-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2392-139-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2392-82-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2392-150-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-142-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2484-26-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2580-136-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-29-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-144-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2624-143-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/2624-44-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/2652-137-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2652-48-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2652-146-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2836-89-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2836-147-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2844-17-0x000000013FDA0000-0x00000001400F4000-memory.dmp

Filesize
3.3MB

Download
memory/2844-140-0x000000013FDA0000-0x00000001400F4000-memory.dmp

Filesize
3.3MB

Download
memory/2880-19-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2880-141-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2888-135-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2888-61-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2888-76-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2888-0-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2888-107-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2888-12-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2888-110-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2888-134-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2888-138-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2888-27-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2888-24-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2888-25-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2888-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2888-108-0x000000013F420000-0x000000013F774000-memory.dmp

Filesize
3.3MB

Download
memory/2888-109-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2888-111-0x000000013F0B0000-0x000000013F404000-memory.dmp

Filesize
3.3MB

Download
memory/2888-112-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2888-113-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2888-114-0x0000000002380000-0x00000000026D4000-memory.dmp

Filesize
3.3MB

Download
memory/2888-39-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/2888-65-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download