cobaltstrike | a3d4c93ba4c489be0e1bf3b13edb2067f2963c8728fe6c337eff6bd632a138da

Analysis

max time kernel
133s
max time network
143s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
Size

6.0MB
MD5

4966911bb96dfb43c655a8fb3444fe24
SHA1

c0fd2f9f235ce6330b5967ed25dcba3c20491cc4
SHA256

a3d4c93ba4c489be0e1bf3b13edb2067f2963c8728fe6c337eff6bd632a138da
SHA512

3923ac9fe9757749929ff24c39cda13a2aa98ef46cdde71672ed0f127aaa2f7db25073b6741d35d815d756adc32b794ded998a15febdaa11ac5f7d50bad415b2
SSDEEP

98304:demTLkNdfE0pZ3656utgpPFotBER/mQ32lUm:E+v56utgpPF8u/7m

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\LJWcBiL.exe	cobalt_reflective_dll
C:\Windows\system\LPfonxj.exe	cobalt_reflective_dll
\Windows\system\pZFHlIx.exe	cobalt_reflective_dll
C:\Windows\system\jBISVYF.exe	cobalt_reflective_dll
\Windows\system\LcFkhnG.exe	cobalt_reflective_dll
C:\Windows\system\gjQoTqF.exe	cobalt_reflective_dll
C:\Windows\system\JQgPAwd.exe	cobalt_reflective_dll
C:\Windows\system\UNhHujc.exe	cobalt_reflective_dll
C:\Windows\system\NsCJCUw.exe	cobalt_reflective_dll
C:\Windows\system\buczJwP.exe	cobalt_reflective_dll
C:\Windows\system\RHCcYNe.exe	cobalt_reflective_dll
\Windows\system\JtRaAMb.exe	cobalt_reflective_dll
C:\Windows\system\vIdkkLI.exe	cobalt_reflective_dll
C:\Windows\system\SdtsGsP.exe	cobalt_reflective_dll
C:\Windows\system\UJoodWJ.exe	cobalt_reflective_dll
C:\Windows\system\DcuYRvB.exe	cobalt_reflective_dll
C:\Windows\system\LEcxuew.exe	cobalt_reflective_dll
C:\Windows\system\RjKLENO.exe	cobalt_reflective_dll
C:\Windows\system\MnonmQL.exe	cobalt_reflective_dll
C:\Windows\system\EYuSMxl.exe	cobalt_reflective_dll
C:\Windows\system\oZeDNBL.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\LJWcBiL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LPfonxj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\pZFHlIx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\jBISVYF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\LcFkhnG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gjQoTqF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JQgPAwd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UNhHujc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NsCJCUw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\buczJwP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RHCcYNe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\JtRaAMb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vIdkkLI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SdtsGsP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UJoodWJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\DcuYRvB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LEcxuew.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RjKLENO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MnonmQL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EYuSMxl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\oZeDNBL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 53 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2040-1-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
C:\Windows\system\LJWcBiL.exe	UPX
C:\Windows\system\LPfonxj.exe	UPX
\Windows\system\pZFHlIx.exe	UPX
C:\Windows\system\jBISVYF.exe	UPX
behavioral1/memory/2480-30-0x000000013FC50000-0x000000013FFA4000-memory.dmp	UPX
behavioral1/memory/2572-26-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/memory/2036-20-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	UPX
behavioral1/memory/2704-16-0x000000013FF10000-0x0000000140264000-memory.dmp	UPX
\Windows\system\LcFkhnG.exe	UPX
C:\Windows\system\gjQoTqF.exe	UPX
C:\Windows\system\JQgPAwd.exe	UPX
C:\Windows\system\UNhHujc.exe	UPX
C:\Windows\system\NsCJCUw.exe	UPX
C:\Windows\system\buczJwP.exe	UPX
C:\Windows\system\RHCcYNe.exe	UPX
\Windows\system\JtRaAMb.exe	UPX
C:\Windows\system\vIdkkLI.exe	UPX
C:\Windows\system\SdtsGsP.exe	UPX
C:\Windows\system\UJoodWJ.exe	UPX
C:\Windows\system\DcuYRvB.exe	UPX
C:\Windows\system\LEcxuew.exe	UPX
C:\Windows\system\RjKLENO.exe	UPX
C:\Windows\system\MnonmQL.exe	UPX
behavioral1/memory/2304-118-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX
behavioral1/memory/892-117-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/memory/2376-120-0x000000013FA50000-0x000000013FDA4000-memory.dmp	UPX
behavioral1/memory/2664-119-0x000000013F6D0000-0x000000013FA24000-memory.dmp	UPX
behavioral1/memory/2404-121-0x000000013FCD0000-0x0000000140024000-memory.dmp	UPX
behavioral1/memory/2808-116-0x000000013FE70000-0x00000001401C4000-memory.dmp	UPX
behavioral1/memory/1944-127-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
behavioral1/memory/2588-129-0x000000013F2C0000-0x000000013F614000-memory.dmp	UPX
behavioral1/memory/2900-125-0x000000013F150000-0x000000013F4A4000-memory.dmp	UPX
behavioral1/memory/2896-123-0x000000013F740000-0x000000013FA94000-memory.dmp	UPX
C:\Windows\system\EYuSMxl.exe	UPX
C:\Windows\system\oZeDNBL.exe	UPX
behavioral1/memory/2040-132-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/2036-133-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	UPX
behavioral1/memory/2572-134-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/memory/2704-135-0x000000013FF10000-0x0000000140264000-memory.dmp	UPX
behavioral1/memory/2036-136-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	UPX
behavioral1/memory/2480-137-0x000000013FC50000-0x000000013FFA4000-memory.dmp	UPX
behavioral1/memory/2572-138-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/memory/2808-139-0x000000013FE70000-0x00000001401C4000-memory.dmp	UPX
behavioral1/memory/892-140-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/memory/2304-141-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX
behavioral1/memory/2664-142-0x000000013F6D0000-0x000000013FA24000-memory.dmp	UPX
behavioral1/memory/2376-143-0x000000013FA50000-0x000000013FDA4000-memory.dmp	UPX
behavioral1/memory/2404-144-0x000000013FCD0000-0x0000000140024000-memory.dmp	UPX
behavioral1/memory/2896-145-0x000000013F740000-0x000000013FA94000-memory.dmp	UPX
behavioral1/memory/2900-146-0x000000013F150000-0x000000013F4A4000-memory.dmp	UPX
behavioral1/memory/1944-147-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
behavioral1/memory/2588-148-0x000000013F2C0000-0x000000013F614000-memory.dmp	UPX

XMRig Miner payload 56 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2040-1-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
C:\Windows\system\LJWcBiL.exe	xmrig
C:\Windows\system\LPfonxj.exe	xmrig
\Windows\system\pZFHlIx.exe	xmrig
C:\Windows\system\jBISVYF.exe	xmrig
behavioral1/memory/2480-30-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
behavioral1/memory/2572-26-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/2036-20-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	xmrig
behavioral1/memory/2040-18-0x0000000002490000-0x00000000027E4000-memory.dmp	xmrig
behavioral1/memory/2704-16-0x000000013FF10000-0x0000000140264000-memory.dmp	xmrig
\Windows\system\LcFkhnG.exe	xmrig
C:\Windows\system\gjQoTqF.exe	xmrig
C:\Windows\system\JQgPAwd.exe	xmrig
C:\Windows\system\UNhHujc.exe	xmrig
C:\Windows\system\NsCJCUw.exe	xmrig
C:\Windows\system\buczJwP.exe	xmrig
C:\Windows\system\RHCcYNe.exe	xmrig
\Windows\system\JtRaAMb.exe	xmrig
C:\Windows\system\vIdkkLI.exe	xmrig
C:\Windows\system\SdtsGsP.exe	xmrig
C:\Windows\system\UJoodWJ.exe	xmrig
C:\Windows\system\DcuYRvB.exe	xmrig
C:\Windows\system\LEcxuew.exe	xmrig
C:\Windows\system\RjKLENO.exe	xmrig
C:\Windows\system\MnonmQL.exe	xmrig
behavioral1/memory/2304-118-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/memory/892-117-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/2376-120-0x000000013FA50000-0x000000013FDA4000-memory.dmp	xmrig
behavioral1/memory/2664-119-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/2404-121-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/memory/2040-122-0x000000013F740000-0x000000013FA94000-memory.dmp	xmrig
behavioral1/memory/2808-116-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/memory/1944-127-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2588-129-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
behavioral1/memory/2040-130-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
behavioral1/memory/2900-125-0x000000013F150000-0x000000013F4A4000-memory.dmp	xmrig
behavioral1/memory/2896-123-0x000000013F740000-0x000000013FA94000-memory.dmp	xmrig
C:\Windows\system\EYuSMxl.exe	xmrig
C:\Windows\system\oZeDNBL.exe	xmrig
behavioral1/memory/2040-132-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/2036-133-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	xmrig
behavioral1/memory/2572-134-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/2704-135-0x000000013FF10000-0x0000000140264000-memory.dmp	xmrig
behavioral1/memory/2036-136-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	xmrig
behavioral1/memory/2480-137-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
behavioral1/memory/2572-138-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/2808-139-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/memory/892-140-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/2304-141-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/memory/2664-142-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/2376-143-0x000000013FA50000-0x000000013FDA4000-memory.dmp	xmrig
behavioral1/memory/2404-144-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/memory/2896-145-0x000000013F740000-0x000000013FA94000-memory.dmp	xmrig
behavioral1/memory/2900-146-0x000000013F150000-0x000000013F4A4000-memory.dmp	xmrig
behavioral1/memory/1944-147-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2588-148-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

LJWcBiL.exejBISVYF.exeLPfonxj.exepZFHlIx.exeLcFkhnG.exegjQoTqF.exeoZeDNBL.exeJQgPAwd.exeEYuSMxl.exeUNhHujc.exeNsCJCUw.exebuczJwP.exeMnonmQL.exeRjKLENO.exeLEcxuew.exeDcuYRvB.exeUJoodWJ.exeSdtsGsP.exevIdkkLI.exeRHCcYNe.exeJtRaAMb.exe

pid	process
2704	LJWcBiL.exe
2036	jBISVYF.exe
2572	LPfonxj.exe
2480	pZFHlIx.exe
2808	LcFkhnG.exe
892	gjQoTqF.exe
2304	oZeDNBL.exe
2664	JQgPAwd.exe
2376	EYuSMxl.exe
2404	UNhHujc.exe
2896	NsCJCUw.exe
2900	buczJwP.exe
1944	MnonmQL.exe
2588	RjKLENO.exe
2696	LEcxuew.exe
2780	DcuYRvB.exe
1616	UJoodWJ.exe
272	SdtsGsP.exe
1768	vIdkkLI.exe
472	RHCcYNe.exe
1644	JtRaAMb.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe

pid	process
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2040-1-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
C:\Windows\system\LJWcBiL.exe	upx
C:\Windows\system\LPfonxj.exe	upx
\Windows\system\pZFHlIx.exe	upx
C:\Windows\system\jBISVYF.exe	upx
behavioral1/memory/2480-30-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/memory/2572-26-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/2036-20-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	upx
behavioral1/memory/2704-16-0x000000013FF10000-0x0000000140264000-memory.dmp	upx
\Windows\system\LcFkhnG.exe	upx
C:\Windows\system\gjQoTqF.exe	upx
C:\Windows\system\JQgPAwd.exe	upx
C:\Windows\system\UNhHujc.exe	upx
C:\Windows\system\NsCJCUw.exe	upx
C:\Windows\system\buczJwP.exe	upx
C:\Windows\system\RHCcYNe.exe	upx
\Windows\system\JtRaAMb.exe	upx
C:\Windows\system\vIdkkLI.exe	upx
C:\Windows\system\SdtsGsP.exe	upx
C:\Windows\system\UJoodWJ.exe	upx
C:\Windows\system\DcuYRvB.exe	upx
C:\Windows\system\LEcxuew.exe	upx
C:\Windows\system\RjKLENO.exe	upx
C:\Windows\system\MnonmQL.exe	upx
behavioral1/memory/2304-118-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/memory/892-117-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/memory/2376-120-0x000000013FA50000-0x000000013FDA4000-memory.dmp	upx
behavioral1/memory/2664-119-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/2404-121-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/memory/2808-116-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/memory/1944-127-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2588-129-0x000000013F2C0000-0x000000013F614000-memory.dmp	upx
behavioral1/memory/2900-125-0x000000013F150000-0x000000013F4A4000-memory.dmp	upx
behavioral1/memory/2896-123-0x000000013F740000-0x000000013FA94000-memory.dmp	upx
C:\Windows\system\EYuSMxl.exe	upx
C:\Windows\system\oZeDNBL.exe	upx
behavioral1/memory/2040-132-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/2036-133-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	upx
behavioral1/memory/2572-134-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/2704-135-0x000000013FF10000-0x0000000140264000-memory.dmp	upx
behavioral1/memory/2036-136-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	upx
behavioral1/memory/2480-137-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/memory/2572-138-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/2808-139-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/memory/892-140-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/memory/2304-141-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/memory/2664-142-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/2376-143-0x000000013FA50000-0x000000013FDA4000-memory.dmp	upx
behavioral1/memory/2404-144-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/memory/2896-145-0x000000013F740000-0x000000013FA94000-memory.dmp	upx
behavioral1/memory/2900-146-0x000000013F150000-0x000000013F4A4000-memory.dmp	upx
behavioral1/memory/1944-147-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2588-148-0x000000013F2C0000-0x000000013F614000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\LJWcBiL.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oZeDNBL.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MnonmQL.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UJoodWJ.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JQgPAwd.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EYuSMxl.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jBISVYF.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LPfonxj.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gjQoTqF.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DcuYRvB.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JtRaAMb.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pZFHlIx.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LcFkhnG.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UNhHujc.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NsCJCUw.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\buczJwP.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RjKLENO.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LEcxuew.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SdtsGsP.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vIdkkLI.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RHCcYNe.exe	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2040 wrote to memory of 2704	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	LJWcBiL.exe
PID 2040 wrote to memory of 2704	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	LJWcBiL.exe
PID 2040 wrote to memory of 2704	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	LJWcBiL.exe
PID 2040 wrote to memory of 2036	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	jBISVYF.exe
PID 2040 wrote to memory of 2036	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	jBISVYF.exe
PID 2040 wrote to memory of 2036	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	jBISVYF.exe
PID 2040 wrote to memory of 2572	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	LPfonxj.exe
PID 2040 wrote to memory of 2572	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	LPfonxj.exe
PID 2040 wrote to memory of 2572	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	LPfonxj.exe
PID 2040 wrote to memory of 2480	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	pZFHlIx.exe
PID 2040 wrote to memory of 2480	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	pZFHlIx.exe
PID 2040 wrote to memory of 2480	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	pZFHlIx.exe
PID 2040 wrote to memory of 2808	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	LcFkhnG.exe
PID 2040 wrote to memory of 2808	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	LcFkhnG.exe
PID 2040 wrote to memory of 2808	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	LcFkhnG.exe
PID 2040 wrote to memory of 892	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	gjQoTqF.exe
PID 2040 wrote to memory of 892	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	gjQoTqF.exe
PID 2040 wrote to memory of 892	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	gjQoTqF.exe
PID 2040 wrote to memory of 2304	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	oZeDNBL.exe
PID 2040 wrote to memory of 2304	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	oZeDNBL.exe
PID 2040 wrote to memory of 2304	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	oZeDNBL.exe
PID 2040 wrote to memory of 2664	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	JQgPAwd.exe
PID 2040 wrote to memory of 2664	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	JQgPAwd.exe
PID 2040 wrote to memory of 2664	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	JQgPAwd.exe
PID 2040 wrote to memory of 2376	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	EYuSMxl.exe
PID 2040 wrote to memory of 2376	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	EYuSMxl.exe
PID 2040 wrote to memory of 2376	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	EYuSMxl.exe
PID 2040 wrote to memory of 2404	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	UNhHujc.exe
PID 2040 wrote to memory of 2404	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	UNhHujc.exe
PID 2040 wrote to memory of 2404	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	UNhHujc.exe
PID 2040 wrote to memory of 2896	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	NsCJCUw.exe
PID 2040 wrote to memory of 2896	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	NsCJCUw.exe
PID 2040 wrote to memory of 2896	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	NsCJCUw.exe
PID 2040 wrote to memory of 2900	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	buczJwP.exe
PID 2040 wrote to memory of 2900	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	buczJwP.exe
PID 2040 wrote to memory of 2900	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	buczJwP.exe
PID 2040 wrote to memory of 1944	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	MnonmQL.exe
PID 2040 wrote to memory of 1944	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	MnonmQL.exe
PID 2040 wrote to memory of 1944	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	MnonmQL.exe
PID 2040 wrote to memory of 2588	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	RjKLENO.exe
PID 2040 wrote to memory of 2588	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	RjKLENO.exe
PID 2040 wrote to memory of 2588	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	RjKLENO.exe
PID 2040 wrote to memory of 2696	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	LEcxuew.exe
PID 2040 wrote to memory of 2696	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	LEcxuew.exe
PID 2040 wrote to memory of 2696	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	LEcxuew.exe
PID 2040 wrote to memory of 2780	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	DcuYRvB.exe
PID 2040 wrote to memory of 2780	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	DcuYRvB.exe
PID 2040 wrote to memory of 2780	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	DcuYRvB.exe
PID 2040 wrote to memory of 1616	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	UJoodWJ.exe
PID 2040 wrote to memory of 1616	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	UJoodWJ.exe
PID 2040 wrote to memory of 1616	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	UJoodWJ.exe
PID 2040 wrote to memory of 272	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	SdtsGsP.exe
PID 2040 wrote to memory of 272	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	SdtsGsP.exe
PID 2040 wrote to memory of 272	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	SdtsGsP.exe
PID 2040 wrote to memory of 1768	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	vIdkkLI.exe
PID 2040 wrote to memory of 1768	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	vIdkkLI.exe
PID 2040 wrote to memory of 1768	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	vIdkkLI.exe
PID 2040 wrote to memory of 472	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	RHCcYNe.exe
PID 2040 wrote to memory of 472	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	RHCcYNe.exe
PID 2040 wrote to memory of 472	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	RHCcYNe.exe
PID 2040 wrote to memory of 1644	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	JtRaAMb.exe
PID 2040 wrote to memory of 1644	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	JtRaAMb.exe
PID 2040 wrote to memory of 1644	2040	2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe	JtRaAMb.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_4966911bb96dfb43c655a8fb3444fe24_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\System\LJWcBiL.exe
C:\Windows\System\LJWcBiL.exe
2⤵
- Executes dropped EXE
PID:2704

C:\Windows\System\jBISVYF.exe
C:\Windows\System\jBISVYF.exe
2⤵
- Executes dropped EXE
PID:2036

C:\Windows\System\LPfonxj.exe
C:\Windows\System\LPfonxj.exe
2⤵
- Executes dropped EXE
PID:2572

C:\Windows\System\pZFHlIx.exe
C:\Windows\System\pZFHlIx.exe
2⤵
- Executes dropped EXE
PID:2480

C:\Windows\System\LcFkhnG.exe
C:\Windows\System\LcFkhnG.exe
2⤵
- Executes dropped EXE
PID:2808

C:\Windows\System\gjQoTqF.exe
C:\Windows\System\gjQoTqF.exe
2⤵
- Executes dropped EXE
PID:892

C:\Windows\System\oZeDNBL.exe
C:\Windows\System\oZeDNBL.exe
2⤵
- Executes dropped EXE
PID:2304

C:\Windows\System\JQgPAwd.exe
C:\Windows\System\JQgPAwd.exe
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\System\EYuSMxl.exe
C:\Windows\System\EYuSMxl.exe
2⤵
- Executes dropped EXE
PID:2376

C:\Windows\System\UNhHujc.exe
C:\Windows\System\UNhHujc.exe
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\System\NsCJCUw.exe
C:\Windows\System\NsCJCUw.exe
2⤵
- Executes dropped EXE
PID:2896

C:\Windows\System\buczJwP.exe
C:\Windows\System\buczJwP.exe
2⤵
- Executes dropped EXE
PID:2900

C:\Windows\System\MnonmQL.exe
C:\Windows\System\MnonmQL.exe
2⤵
- Executes dropped EXE
PID:1944

C:\Windows\System\RjKLENO.exe
C:\Windows\System\RjKLENO.exe
2⤵
- Executes dropped EXE
PID:2588

C:\Windows\System\LEcxuew.exe
C:\Windows\System\LEcxuew.exe
2⤵
- Executes dropped EXE
PID:2696

C:\Windows\System\DcuYRvB.exe
C:\Windows\System\DcuYRvB.exe
2⤵
- Executes dropped EXE
PID:2780

C:\Windows\System\UJoodWJ.exe
C:\Windows\System\UJoodWJ.exe
2⤵
- Executes dropped EXE
PID:1616

C:\Windows\System\SdtsGsP.exe
C:\Windows\System\SdtsGsP.exe
2⤵
- Executes dropped EXE
PID:272

C:\Windows\System\vIdkkLI.exe
C:\Windows\System\vIdkkLI.exe
2⤵
- Executes dropped EXE
PID:1768

C:\Windows\System\RHCcYNe.exe
C:\Windows\System\RHCcYNe.exe
2⤵
- Executes dropped EXE
PID:472

C:\Windows\System\JtRaAMb.exe
C:\Windows\System\JtRaAMb.exe
2⤵
- Executes dropped EXE
PID:1644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DcuYRvB.exe
Filesize
6.0MB

MD5
7cc91efa47ec39607367c718b67a9c98

SHA1
09e7dd1d36e4bb6cd491822da65b05e684997091

SHA256
a0f88611c4cf6a696f89509df86671953c26725083fbd4ba7c9d4f1d1a88d2a0

SHA512
4dfc370762b8725911658a30cfee857eb5487fae259815188f1eac59d5d86b3618d9650e2432481a4fd2f4270fcc4428d1bc54eafee02b4b357f4e9fcb460d31

Download Submit
C:\Windows\system\EYuSMxl.exe
Filesize
6.0MB

MD5
12a74a249bd25e1a4aa7e3cedb3e13fd

SHA1
809a35a1bbe7c3d86cd2ed562fcb2f0093496f8f

SHA256
ae4d4e8e1f93119fda7973c22756ec2d913edb6e93c831a1406503f57a4b4ef3

SHA512
9bb8b97e41beefdae66f6e9e1f4358fc47502722220445222d9647d00348c0f2f2300bd403053f61a35bdef0c00abbd680879be1ff2f84b72c7f11e9b2d7c0b5

Download Submit
C:\Windows\system\JQgPAwd.exe
Filesize
6.0MB

MD5
ecfd5095f4b8d3aee546039c800f7ccf

SHA1
215ea5d4e734f575aa595352a974c5f38d096748

SHA256
6e18dcb840ade67732a8dde2b47f74b16414c50b67ae745fab67266c553c98d3

SHA512
04316f6ee73ecaeb8730021463863648348774f519fc0c6090f8b2e266e5fbe2c6614b6ec7e74492b0f2c75f317f1237ef3f1b9538bc45bcd469404486703988

Download Submit
C:\Windows\system\LEcxuew.exe
Filesize
6.0MB

MD5
6d20b870c1c6d03eeb94e3645d12bb95

SHA1
e496136973309fb619247cc989ad90e1084b7aea

SHA256
e2891f3cca02cf19d580ad9c3fb61e8c8a444a5d951f9da7171ceb50551eba91

SHA512
055dbd91703742de1d7f85ab53e7f245580dd8f4924bb6f3ab2cffc49aac98e01489fa39d72284bbbe03897a62981b8789c36195d2944e8febc5843f72248c6a

Download Submit
C:\Windows\system\LJWcBiL.exe
Filesize
6.0MB

MD5
afa886a6f1d6f0f0667264e7819629b4

SHA1
d6f49cedc39473a9b64d5782750861dcde305c58

SHA256
c4556d96fbb5ff23f7a1cbb8a4bf49690be3df8e6284186a80f3cf00c410e756

SHA512
e4a1bd87c642f25edff6ad15441c60d452e11608f44d0145da85a73738cce7fae04fa99dd0a54845736bc8d9146a4cb2f85988852f377a25afcc5501894383c9

Download Submit
C:\Windows\system\LPfonxj.exe
Filesize
6.0MB

MD5
6f4dda4611e5791a895aaf4749c4c82f

SHA1
3a6e5bdbff09d165dc32eda918fdc3b189316e40

SHA256
4d28e5ee55fca3bf3ebf1c3b425050b3f661684fe0a68939ecfbe718e74f0b8f

SHA512
d27855d47c5513334c51bf4b09c90638c93422f92c20bf76c9a84d21a4caa5b52eb47a5776f7487931f8ab0e4a7477e63dc514f9963d1ac9899ee3aac40501c4

Download Submit
C:\Windows\system\MnonmQL.exe
Filesize
6.0MB

MD5
ae3be074dd9bbd787680e409500662a4

SHA1
78e03eae62c65c58db1a07dc861641888c6e88a2

SHA256
deabb05fea05dbf279c2c505fa04f03d4eef569d11b472a7b5e11f5446dad0ab

SHA512
02622245909781f89bebbaf73278e793790a4fb18b5da393e84e02376bf294473b94dcf6a4c7f534b9ffd9547d7e40804309be68e5fbfa4d114cb865332f4328

Download Submit
C:\Windows\system\NsCJCUw.exe
Filesize
6.0MB

MD5
c37588e212af2f3ac5272e5aab5541bf

SHA1
623d8391962bc82f7d07c07cb0a0c286b9008835

SHA256
c0723b0a830643d5ba6871943431e4935fba43af376da8641cc48f6b9afb469e

SHA512
3e9bdb77202a570c4c2e0532b5216e3b494c9cd1ef9979df4aec4e0ca98080e934a6c663db49bbd21c65bbfd4f24e6e38c0056831730b16ffbe2a15d18a9f7fa

Download Submit
C:\Windows\system\RHCcYNe.exe
Filesize
6.0MB

MD5
b23272d61c06849967428c65467f7899

SHA1
bec82364f14a726db9d6b00de9da983bb9ac18ff

SHA256
8bf5015c9b513a4793b5b4b909e6f14e3f3ca62ab44075aeefc563bbdf27a022

SHA512
f1df32f20b9bec14b9507d6cbb1f6093d5e28fd0c7faa38ac137918a216c86b6e8ed91c50cfd23b885b261231e3f2748b705b854e807e9c398e7c769d07d31ea

Download Submit
C:\Windows\system\RjKLENO.exe
Filesize
6.0MB

MD5
465b29bbbd14c1583bb3f390928b32b2

SHA1
20bf752a367b305317694e9eeaddd12092ebf009

SHA256
59bdcf9838ea202bba134a96918f74598529dd5b3043e5d73f99b988b37ed26c

SHA512
8806e74c0c06d5443b0e2c6d249ea0edf91bb22abd8b60725a3a3af2d6c0471f3a020dd7d53423e2565d0828ceddbb6d525ee5fb2881964f17660132667ae148

Download Submit
C:\Windows\system\SdtsGsP.exe
Filesize
6.0MB

MD5
4c0ca38fde509b681984d4f5c3463c98

SHA1
fad23c5573a900d85c5bc0abbb4dc2743a3e6e22

SHA256
34b5439c490e912feb7f22b69d28fd480b68a61330486dafdb674069c4bef9a1

SHA512
bc1d3fe9ceab6bdc1151519cbb92d862213a0faaae9799c0693321b30da33971f9f9db4bd8fb5109d36475b2ca99a00ff4f833d871060c900cffc33dfdc6e9c1

Download Submit
C:\Windows\system\UJoodWJ.exe
Filesize
6.0MB

MD5
0547745d691605d7d8296f1e55744cd8

SHA1
8e56cdc7aabc6ef8704756ef52fcd7294d4122f7

SHA256
093b8366a6ffd52194f8362418c5184790b667183df96b4da289c4294e9d0298

SHA512
0ee88cbf5d2db0e5f759687e5e0f090373351a2a2e67efbc4dd43b6263cf9e66a531df8e504e92d7bb7c4583e2a041be86daacc19a92b5bf7d7ee143416d839b

Download Submit
C:\Windows\system\UNhHujc.exe
Filesize
6.0MB

MD5
36789198554540a9e86d54a11c34e0c9

SHA1
ea388b8784308f7261284eb25573743408c565cb

SHA256
796eab88939a525f50f5fccb06f0f08345b096d81695fcb5926e6130892281b1

SHA512
ceb075aa021e2326b7a414809bba75fc5cc2ffd49d0c506cb3c57361c111440b26444d53bf01144f0994ae2c4299271f670342cd01b2aecc5b83b6a493bf072f

Download Submit
C:\Windows\system\buczJwP.exe
Filesize
6.0MB

MD5
63952bb6851e8cf0ce7ed763a21bb574

SHA1
0cca871a3a7e8023c9d593445faa9fd3db1801fb

SHA256
26be104e710f47497472e7da53c09f461fa563867a2ffbf646a7e4fe113e4f72

SHA512
33a7f7c1a1505d330fedf1099990ecb69fa849a3718e7be0e7b9124af5c80db5406ee60ab6f85caa855cf47a45f4d9711e2347741307597c95bb23ab1c272d59

Download Submit
C:\Windows\system\gjQoTqF.exe
Filesize
6.0MB

MD5
a73c1411454ed4e15dece1428d5d0040

SHA1
af6c294eadf4598f6c7d23a213fddcf43ed1bcb0

SHA256
bfb01a938d403a8e18bfb6bd3d9e13da716d0399f108d4c747357b027c5dbd09

SHA512
c8f1492eeda62e5e530cf0bd1a52446675711852072f67d2a7eda17930a5a1d7bd1f228dc80c1ee4d488ccd6dd13dd478ea1078edda97b2b36c56496e024ec94

Download Submit
C:\Windows\system\jBISVYF.exe
Filesize
6.0MB

MD5
62e8f2a9d7b5d41d55cd1c9741990270

SHA1
9d434f71fc7d0649e9b7cd3daf9d5a5cb08e21b8

SHA256
3ce0207d7a171a96666e495ee4b5ec4dda0a432a80cd59807a855c835e4b3513

SHA512
fba7f2aaf9d9688889c45bc9fb98474640af3fc198b79c0055cea3d8241e6c3cc953eb6f1e28511428596b1faa5fb0d5434af15a7c7f3d9f820a829e84429862

Download Submit
C:\Windows\system\oZeDNBL.exe
Filesize
6.0MB

MD5
93994832ffda8d0361e1e39b4cb785f6

SHA1
6b4f0b749e78fad8ba4da9d5ce88f3f8b9874fde

SHA256
01016fdf605e32b3564c0b43e4d0a6191a47c8e8a6a8df9f222182b4467dc73f

SHA512
f12a61f88d91a3bb473b6beff1c25be1cbdf27edee9bc048e4c49bc41958818e1cf8d3c10e2b607cdb13a343900370f4f3bd2bab24b598b687a1bbc1012425ee

Download Submit
C:\Windows\system\vIdkkLI.exe
Filesize
6.0MB

MD5
650a76bccda8e45f8b6a3565f1c9e490

SHA1
cd0c60db0ce9bc37ad4ba3e03271a82c9fb14fc6

SHA256
c252f7b9eae1f0dc2d8706bf50231e5f2596156099329914457b90174afa039d

SHA512
e3462a6d8003e5fc0ca71211a2da7988f2e210278e2949810ddfb5f1e3023decaf0fc662086aa6db995316b4e8b54809dff39bd9c2c5dadb661581c835bb1d2b

Download Submit
\Windows\system\JtRaAMb.exe
Filesize
6.0MB

MD5
055a27280d152620f606ab00872ca972

SHA1
a5de321f33cdd72bb8c55cc58aa500299ebeecf7

SHA256
88f2433a56a068180573b7a12437a4bb6076a3b8bfa51e570baf83f33a24c37b

SHA512
35243127f88b8f1762522c0873ad067be46333d9c6d89eafb4b8073b51d5a6e6c443470bcd3baa37cbf1430ace1b1002644aaca9050a327958083ed02a6b5bb0

Download Submit
\Windows\system\LcFkhnG.exe
Filesize
6.0MB

MD5
9a0bdbc6bcbc9d3fa98187d202317fa0

SHA1
621ca457c64b3e6f45259b28ba1a794aa393d41b

SHA256
106c2e26958886277e66dd29a6bdc3b092bb3b63b0737905b39b43b7d03b8f63

SHA512
d1e292f58c7b5c58c94797a984a83a8f6188914dfb3b32bffc03b0ee26842ddc5d1469128d741e1637d8c64080220f682d20fa218ef4f1048de94857844fc792

Download Submit
\Windows\system\pZFHlIx.exe
Filesize
6.0MB

MD5
d46fd4d18d04ce06d867e6be329de6f1

SHA1
62f83207bcfb1d08453daa9de72c2d2b889c94a4

SHA256
23019dcd7dc481b8209303549d6783c471eb75b1b5ce4fc13f7ab7e3c5be99ee

SHA512
065e2fb3dd6bf681cc0d4f723b718378e74bfeb5d82c964aa1c39a2ed8fd72ce04035a92f8ae190818fbf0446d7cb733d54b8f0ee36870cebdd4dbbd88c4a361

Download Submit
memory/892-117-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/892-140-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/1944-147-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/1944-127-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2036-133-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

Filesize
3.3MB

Download
memory/2036-20-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

Filesize
3.3MB

Download
memory/2036-136-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

Filesize
3.3MB

Download
memory/2040-126-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2040-11-0x0000000002490000-0x00000000027E4000-memory.dmp

Filesize
3.3MB

Download
memory/2040-18-0x0000000002490000-0x00000000027E4000-memory.dmp

Filesize
3.3MB

Download
memory/2040-28-0x0000000002490000-0x00000000027E4000-memory.dmp

Filesize
3.3MB

Download
memory/2040-13-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

Filesize
3.3MB

Download
memory/2040-132-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2040-1-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2040-122-0x000000013F740000-0x000000013FA94000-memory.dmp

Filesize
3.3MB

Download
memory/2040-0-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2040-115-0x0000000002490000-0x00000000027E4000-memory.dmp

Filesize
3.3MB

Download
memory/2040-124-0x000000013F150000-0x000000013F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/2040-131-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2040-130-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2040-128-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2304-141-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2304-118-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2376-120-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/2376-143-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/2404-121-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2404-144-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2480-137-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2480-30-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2572-138-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2572-134-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2572-26-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-148-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2588-129-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2664-119-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2664-142-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2704-16-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/2704-135-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/2808-116-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/2808-139-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/2896-145-0x000000013F740000-0x000000013FA94000-memory.dmp

Filesize
3.3MB

Download
memory/2896-123-0x000000013F740000-0x000000013FA94000-memory.dmp

Filesize
3.3MB

Download
memory/2900-146-0x000000013F150000-0x000000013F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/2900-125-0x000000013F150000-0x000000013F4A4000-memory.dmp

Filesize
3.3MB

Download