cobaltstrike | c87a3f4aceab05c76c16e3c2b66d6b13143e37bafe82b097c41bfe5375aeab51

Analysis

max time kernel
137s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

a9c02ed9fbb3b43279e34f86e2a41582
SHA1

4324bb8cedbf07c6cc14d97c6d7a96234f15316d
SHA256

c87a3f4aceab05c76c16e3c2b66d6b13143e37bafe82b097c41bfe5375aeab51
SHA512

2089e09f39f4af92835a129cd211040d3d8025bb3e173e9b72557ebd2397a23786a36a8ebf1f9e5d9fbb39ebbcff568386ac6ea7a29ee3e65aaf3f642cfb2a7c
SSDEEP

98304:demTLkNdfE0pZ3656utgpPFotBER/mQ32lUL:E+v56utgpPF8u/7L

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\HNcOkbA.exe	cobalt_reflective_dll
C:\Windows\system\uqBCbaz.exe	cobalt_reflective_dll
\Windows\system\DEJPwqV.exe	cobalt_reflective_dll
C:\Windows\system\HsFqMkC.exe	cobalt_reflective_dll
C:\Windows\system\TkNdBKZ.exe	cobalt_reflective_dll
C:\Windows\system\saMZPyj.exe	cobalt_reflective_dll
C:\Windows\system\jGJEVxW.exe	cobalt_reflective_dll
C:\Windows\system\sCwVFmG.exe	cobalt_reflective_dll
C:\Windows\system\VxNHoZg.exe	cobalt_reflective_dll
\Windows\system\APPZDXB.exe	cobalt_reflective_dll
C:\Windows\system\fUOEmmI.exe	cobalt_reflective_dll
C:\Windows\system\OYsOODF.exe	cobalt_reflective_dll
C:\Windows\system\OgpWvmG.exe	cobalt_reflective_dll
C:\Windows\system\zsuGSqk.exe	cobalt_reflective_dll
C:\Windows\system\SQjThlK.exe	cobalt_reflective_dll
C:\Windows\system\kLhNiae.exe	cobalt_reflective_dll
C:\Windows\system\JgbAmBi.exe	cobalt_reflective_dll
C:\Windows\system\uHsYDUM.exe	cobalt_reflective_dll
C:\Windows\system\UQNagKJ.exe	cobalt_reflective_dll
C:\Windows\system\KyqhXPC.exe	cobalt_reflective_dll
C:\Windows\system\fBTJIaF.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\HNcOkbA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\uqBCbaz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\DEJPwqV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\HsFqMkC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\TkNdBKZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\saMZPyj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\jGJEVxW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\sCwVFmG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VxNHoZg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\APPZDXB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\fUOEmmI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OYsOODF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OgpWvmG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zsuGSqk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SQjThlK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kLhNiae.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JgbAmBi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\uHsYDUM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UQNagKJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KyqhXPC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\fBTJIaF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 50 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2348-0-0x000000013F610000-0x000000013F964000-memory.dmp	UPX
C:\Windows\system\HNcOkbA.exe	UPX
C:\Windows\system\uqBCbaz.exe	UPX
\Windows\system\DEJPwqV.exe	UPX
behavioral1/memory/2564-14-0x000000013FC10000-0x000000013FF64000-memory.dmp	UPX
behavioral1/memory/2300-13-0x000000013FA90000-0x000000013FDE4000-memory.dmp	UPX
C:\Windows\system\HsFqMkC.exe	UPX
behavioral1/memory/2632-31-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX
C:\Windows\system\TkNdBKZ.exe	UPX
C:\Windows\system\saMZPyj.exe	UPX
behavioral1/memory/2576-36-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
behavioral1/memory/2720-40-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
C:\Windows\system\jGJEVxW.exe	UPX
behavioral1/memory/2092-62-0x000000013F700000-0x000000013FA54000-memory.dmp	UPX
behavioral1/memory/2420-71-0x000000013F060000-0x000000013F3B4000-memory.dmp	UPX
C:\Windows\system\sCwVFmG.exe	UPX
behavioral1/memory/3068-81-0x000000013FA70000-0x000000013FDC4000-memory.dmp	UPX
behavioral1/memory/2348-89-0x0000000002260000-0x00000000025B4000-memory.dmp	UPX
C:\Windows\system\VxNHoZg.exe	UPX
\Windows\system\APPZDXB.exe	UPX
C:\Windows\system\fUOEmmI.exe	UPX
C:\Windows\system\OYsOODF.exe	UPX
C:\Windows\system\OgpWvmG.exe	UPX
C:\Windows\system\zsuGSqk.exe	UPX
C:\Windows\system\SQjThlK.exe	UPX
C:\Windows\system\kLhNiae.exe	UPX
behavioral1/memory/2944-103-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX
C:\Windows\system\JgbAmBi.exe	UPX
behavioral1/memory/2496-85-0x000000013F5D0000-0x000000013F924000-memory.dmp	UPX
behavioral1/memory/2560-79-0x000000013FD40000-0x0000000140094000-memory.dmp	UPX
behavioral1/memory/2348-131-0x000000013F610000-0x000000013F964000-memory.dmp	UPX
behavioral1/memory/2472-74-0x000000013F8E0000-0x000000013FC34000-memory.dmp	UPX
C:\Windows\system\uHsYDUM.exe	UPX
behavioral1/memory/2672-66-0x000000013F7F0000-0x000000013FB44000-memory.dmp	UPX
C:\Windows\system\UQNagKJ.exe	UPX
C:\Windows\system\KyqhXPC.exe	UPX
C:\Windows\system\fBTJIaF.exe	UPX
behavioral1/memory/2300-135-0x000000013FA90000-0x000000013FDE4000-memory.dmp	UPX
behavioral1/memory/2564-136-0x000000013FC10000-0x000000013FF64000-memory.dmp	UPX
behavioral1/memory/2576-137-0x000000013F6E0000-0x000000013FA34000-memory.dmp	UPX
behavioral1/memory/2632-138-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX
behavioral1/memory/2720-139-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
behavioral1/memory/2092-140-0x000000013F700000-0x000000013FA54000-memory.dmp	UPX
behavioral1/memory/2672-141-0x000000013F7F0000-0x000000013FB44000-memory.dmp	UPX
behavioral1/memory/2560-143-0x000000013FD40000-0x0000000140094000-memory.dmp	UPX
behavioral1/memory/2420-142-0x000000013F060000-0x000000013F3B4000-memory.dmp	UPX
behavioral1/memory/2472-144-0x000000013F8E0000-0x000000013FC34000-memory.dmp	UPX
behavioral1/memory/3068-145-0x000000013FA70000-0x000000013FDC4000-memory.dmp	UPX
behavioral1/memory/2496-146-0x000000013F5D0000-0x000000013F924000-memory.dmp	UPX
behavioral1/memory/2944-147-0x000000013F6F0000-0x000000013FA44000-memory.dmp	UPX

XMRig Miner payload 52 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2348-0-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
C:\Windows\system\HNcOkbA.exe	xmrig
C:\Windows\system\uqBCbaz.exe	xmrig
\Windows\system\DEJPwqV.exe	xmrig
behavioral1/memory/2564-14-0x000000013FC10000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/memory/2300-13-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
C:\Windows\system\HsFqMkC.exe	xmrig
behavioral1/memory/2632-31-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
C:\Windows\system\TkNdBKZ.exe	xmrig
C:\Windows\system\saMZPyj.exe	xmrig
behavioral1/memory/2576-36-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
behavioral1/memory/2720-40-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
C:\Windows\system\jGJEVxW.exe	xmrig
behavioral1/memory/2092-62-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2420-71-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
C:\Windows\system\sCwVFmG.exe	xmrig
behavioral1/memory/2348-80-0x0000000002260000-0x00000000025B4000-memory.dmp	xmrig
behavioral1/memory/3068-81-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/memory/2348-89-0x0000000002260000-0x00000000025B4000-memory.dmp	xmrig
C:\Windows\system\VxNHoZg.exe	xmrig
\Windows\system\APPZDXB.exe	xmrig
C:\Windows\system\fUOEmmI.exe	xmrig
C:\Windows\system\OYsOODF.exe	xmrig
C:\Windows\system\OgpWvmG.exe	xmrig
C:\Windows\system\zsuGSqk.exe	xmrig
C:\Windows\system\SQjThlK.exe	xmrig
C:\Windows\system\kLhNiae.exe	xmrig
behavioral1/memory/2944-103-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig
C:\Windows\system\JgbAmBi.exe	xmrig
behavioral1/memory/2496-85-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/memory/2560-79-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/2348-131-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
behavioral1/memory/2348-76-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/2472-74-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
C:\Windows\system\uHsYDUM.exe	xmrig
behavioral1/memory/2672-66-0x000000013F7F0000-0x000000013FB44000-memory.dmp	xmrig
C:\Windows\system\UQNagKJ.exe	xmrig
C:\Windows\system\KyqhXPC.exe	xmrig
C:\Windows\system\fBTJIaF.exe	xmrig
behavioral1/memory/2300-135-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/memory/2564-136-0x000000013FC10000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/memory/2576-137-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
behavioral1/memory/2632-138-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/memory/2720-139-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/2092-140-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2672-141-0x000000013F7F0000-0x000000013FB44000-memory.dmp	xmrig
behavioral1/memory/2560-143-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/2420-142-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/memory/2472-144-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/memory/3068-145-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/memory/2496-146-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/memory/2944-147-0x000000013F6F0000-0x000000013FA44000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

HNcOkbA.exeHsFqMkC.exeuqBCbaz.exeDEJPwqV.exeTkNdBKZ.exesaMZPyj.exefBTJIaF.exejGJEVxW.exeKyqhXPC.exeUQNagKJ.exesCwVFmG.exeuHsYDUM.exeVxNHoZg.exeJgbAmBi.exekLhNiae.exeAPPZDXB.exeSQjThlK.exefUOEmmI.exeOYsOODF.exezsuGSqk.exeOgpWvmG.exe

pid	process
2300	HNcOkbA.exe
2564	HsFqMkC.exe
2632	uqBCbaz.exe
2576	DEJPwqV.exe
2720	TkNdBKZ.exe
2092	saMZPyj.exe
2672	fBTJIaF.exe
2560	jGJEVxW.exe
2420	KyqhXPC.exe
2472	UQNagKJ.exe
3068	sCwVFmG.exe
2496	uHsYDUM.exe
2944	VxNHoZg.exe
2684	JgbAmBi.exe
2948	kLhNiae.exe
2984	APPZDXB.exe
1368	SQjThlK.exe
2824	fUOEmmI.exe
1952	OYsOODF.exe
1612	zsuGSqk.exe
1476	OgpWvmG.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe

pid	process
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2348-0-0x000000013F610000-0x000000013F964000-memory.dmp	upx
C:\Windows\system\HNcOkbA.exe	upx
C:\Windows\system\uqBCbaz.exe	upx
\Windows\system\DEJPwqV.exe	upx
behavioral1/memory/2564-14-0x000000013FC10000-0x000000013FF64000-memory.dmp	upx
behavioral1/memory/2300-13-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
C:\Windows\system\HsFqMkC.exe	upx
behavioral1/memory/2632-31-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
C:\Windows\system\TkNdBKZ.exe	upx
C:\Windows\system\saMZPyj.exe	upx
behavioral1/memory/2576-36-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
behavioral1/memory/2720-40-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
C:\Windows\system\jGJEVxW.exe	upx
behavioral1/memory/2092-62-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/2420-71-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
C:\Windows\system\sCwVFmG.exe	upx
behavioral1/memory/3068-81-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/memory/2348-89-0x0000000002260000-0x00000000025B4000-memory.dmp	upx
C:\Windows\system\VxNHoZg.exe	upx
\Windows\system\APPZDXB.exe	upx
C:\Windows\system\fUOEmmI.exe	upx
C:\Windows\system\OYsOODF.exe	upx
C:\Windows\system\OgpWvmG.exe	upx
C:\Windows\system\zsuGSqk.exe	upx
C:\Windows\system\SQjThlK.exe	upx
C:\Windows\system\kLhNiae.exe	upx
behavioral1/memory/2944-103-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx
C:\Windows\system\JgbAmBi.exe	upx
behavioral1/memory/2496-85-0x000000013F5D0000-0x000000013F924000-memory.dmp	upx
behavioral1/memory/2560-79-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/2348-131-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/memory/2472-74-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
C:\Windows\system\uHsYDUM.exe	upx
behavioral1/memory/2672-66-0x000000013F7F0000-0x000000013FB44000-memory.dmp	upx
C:\Windows\system\UQNagKJ.exe	upx
C:\Windows\system\KyqhXPC.exe	upx
C:\Windows\system\fBTJIaF.exe	upx
behavioral1/memory/2300-135-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/memory/2564-136-0x000000013FC10000-0x000000013FF64000-memory.dmp	upx
behavioral1/memory/2576-137-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
behavioral1/memory/2632-138-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/memory/2720-139-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/memory/2092-140-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/2672-141-0x000000013F7F0000-0x000000013FB44000-memory.dmp	upx
behavioral1/memory/2560-143-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/2420-142-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/memory/2472-144-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
behavioral1/memory/3068-145-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/memory/2496-146-0x000000013F5D0000-0x000000013F924000-memory.dmp	upx
behavioral1/memory/2944-147-0x000000013F6F0000-0x000000013FA44000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\TkNdBKZ.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kLhNiae.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OYsOODF.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UQNagKJ.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SQjThlK.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fUOEmmI.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OgpWvmG.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fBTJIaF.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KyqhXPC.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uHsYDUM.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\saMZPyj.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\APPZDXB.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HNcOkbA.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HsFqMkC.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uqBCbaz.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VxNHoZg.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JgbAmBi.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zsuGSqk.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DEJPwqV.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jGJEVxW.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sCwVFmG.exe	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2348 wrote to memory of 2300	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	HNcOkbA.exe
PID 2348 wrote to memory of 2300	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	HNcOkbA.exe
PID 2348 wrote to memory of 2300	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	HNcOkbA.exe
PID 2348 wrote to memory of 2564	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	HsFqMkC.exe
PID 2348 wrote to memory of 2564	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	HsFqMkC.exe
PID 2348 wrote to memory of 2564	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	HsFqMkC.exe
PID 2348 wrote to memory of 2632	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	uqBCbaz.exe
PID 2348 wrote to memory of 2632	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	uqBCbaz.exe
PID 2348 wrote to memory of 2632	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	uqBCbaz.exe
PID 2348 wrote to memory of 2576	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	DEJPwqV.exe
PID 2348 wrote to memory of 2576	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	DEJPwqV.exe
PID 2348 wrote to memory of 2576	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	DEJPwqV.exe
PID 2348 wrote to memory of 2720	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	TkNdBKZ.exe
PID 2348 wrote to memory of 2720	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	TkNdBKZ.exe
PID 2348 wrote to memory of 2720	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	TkNdBKZ.exe
PID 2348 wrote to memory of 2092	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	saMZPyj.exe
PID 2348 wrote to memory of 2092	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	saMZPyj.exe
PID 2348 wrote to memory of 2092	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	saMZPyj.exe
PID 2348 wrote to memory of 2672	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	fBTJIaF.exe
PID 2348 wrote to memory of 2672	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	fBTJIaF.exe
PID 2348 wrote to memory of 2672	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	fBTJIaF.exe
PID 2348 wrote to memory of 2560	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	jGJEVxW.exe
PID 2348 wrote to memory of 2560	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	jGJEVxW.exe
PID 2348 wrote to memory of 2560	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	jGJEVxW.exe
PID 2348 wrote to memory of 3068	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	sCwVFmG.exe
PID 2348 wrote to memory of 3068	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	sCwVFmG.exe
PID 2348 wrote to memory of 3068	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	sCwVFmG.exe
PID 2348 wrote to memory of 2420	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	KyqhXPC.exe
PID 2348 wrote to memory of 2420	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	KyqhXPC.exe
PID 2348 wrote to memory of 2420	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	KyqhXPC.exe
PID 2348 wrote to memory of 2496	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	uHsYDUM.exe
PID 2348 wrote to memory of 2496	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	uHsYDUM.exe
PID 2348 wrote to memory of 2496	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	uHsYDUM.exe
PID 2348 wrote to memory of 2472	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	UQNagKJ.exe
PID 2348 wrote to memory of 2472	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	UQNagKJ.exe
PID 2348 wrote to memory of 2472	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	UQNagKJ.exe
PID 2348 wrote to memory of 2948	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	kLhNiae.exe
PID 2348 wrote to memory of 2948	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	kLhNiae.exe
PID 2348 wrote to memory of 2948	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	kLhNiae.exe
PID 2348 wrote to memory of 2944	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	VxNHoZg.exe
PID 2348 wrote to memory of 2944	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	VxNHoZg.exe
PID 2348 wrote to memory of 2944	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	VxNHoZg.exe
PID 2348 wrote to memory of 2984	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	APPZDXB.exe
PID 2348 wrote to memory of 2984	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	APPZDXB.exe
PID 2348 wrote to memory of 2984	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	APPZDXB.exe
PID 2348 wrote to memory of 2684	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	JgbAmBi.exe
PID 2348 wrote to memory of 2684	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	JgbAmBi.exe
PID 2348 wrote to memory of 2684	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	JgbAmBi.exe
PID 2348 wrote to memory of 1368	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	SQjThlK.exe
PID 2348 wrote to memory of 1368	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	SQjThlK.exe
PID 2348 wrote to memory of 1368	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	SQjThlK.exe
PID 2348 wrote to memory of 2824	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	fUOEmmI.exe
PID 2348 wrote to memory of 2824	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	fUOEmmI.exe
PID 2348 wrote to memory of 2824	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	fUOEmmI.exe
PID 2348 wrote to memory of 1952	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	OYsOODF.exe
PID 2348 wrote to memory of 1952	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	OYsOODF.exe
PID 2348 wrote to memory of 1952	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	OYsOODF.exe
PID 2348 wrote to memory of 1612	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	zsuGSqk.exe
PID 2348 wrote to memory of 1612	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	zsuGSqk.exe
PID 2348 wrote to memory of 1612	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	zsuGSqk.exe
PID 2348 wrote to memory of 1476	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	OgpWvmG.exe
PID 2348 wrote to memory of 1476	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	OgpWvmG.exe
PID 2348 wrote to memory of 1476	2348	2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe	OgpWvmG.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_a9c02ed9fbb3b43279e34f86e2a41582_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\System\HNcOkbA.exe
C:\Windows\System\HNcOkbA.exe
2⤵
- Executes dropped EXE
PID:2300

C:\Windows\System\HsFqMkC.exe
C:\Windows\System\HsFqMkC.exe
2⤵
- Executes dropped EXE
PID:2564

C:\Windows\System\uqBCbaz.exe
C:\Windows\System\uqBCbaz.exe
2⤵
- Executes dropped EXE
PID:2632

C:\Windows\System\DEJPwqV.exe
C:\Windows\System\DEJPwqV.exe
2⤵
- Executes dropped EXE
PID:2576

C:\Windows\System\TkNdBKZ.exe
C:\Windows\System\TkNdBKZ.exe
2⤵
- Executes dropped EXE
PID:2720

C:\Windows\System\saMZPyj.exe
C:\Windows\System\saMZPyj.exe
2⤵
- Executes dropped EXE
PID:2092

C:\Windows\System\fBTJIaF.exe
C:\Windows\System\fBTJIaF.exe
2⤵
- Executes dropped EXE
PID:2672

C:\Windows\System\jGJEVxW.exe
C:\Windows\System\jGJEVxW.exe
2⤵
- Executes dropped EXE
PID:2560

C:\Windows\System\sCwVFmG.exe
C:\Windows\System\sCwVFmG.exe
2⤵
- Executes dropped EXE
PID:3068

C:\Windows\System\KyqhXPC.exe
C:\Windows\System\KyqhXPC.exe
2⤵
- Executes dropped EXE
PID:2420

C:\Windows\System\uHsYDUM.exe
C:\Windows\System\uHsYDUM.exe
2⤵
- Executes dropped EXE
PID:2496

C:\Windows\System\UQNagKJ.exe
C:\Windows\System\UQNagKJ.exe
2⤵
- Executes dropped EXE
PID:2472

C:\Windows\System\kLhNiae.exe
C:\Windows\System\kLhNiae.exe
2⤵
- Executes dropped EXE
PID:2948

C:\Windows\System\VxNHoZg.exe
C:\Windows\System\VxNHoZg.exe
2⤵
- Executes dropped EXE
PID:2944

C:\Windows\System\APPZDXB.exe
C:\Windows\System\APPZDXB.exe
2⤵
- Executes dropped EXE
PID:2984

C:\Windows\System\JgbAmBi.exe
C:\Windows\System\JgbAmBi.exe
2⤵
- Executes dropped EXE
PID:2684

C:\Windows\System\SQjThlK.exe
C:\Windows\System\SQjThlK.exe
2⤵
- Executes dropped EXE
PID:1368

C:\Windows\System\fUOEmmI.exe
C:\Windows\System\fUOEmmI.exe
2⤵
- Executes dropped EXE
PID:2824

C:\Windows\System\OYsOODF.exe
C:\Windows\System\OYsOODF.exe
2⤵
- Executes dropped EXE
PID:1952

C:\Windows\System\zsuGSqk.exe
C:\Windows\System\zsuGSqk.exe
2⤵
- Executes dropped EXE
PID:1612

C:\Windows\System\OgpWvmG.exe
C:\Windows\System\OgpWvmG.exe
2⤵
- Executes dropped EXE
PID:1476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\HNcOkbA.exe
Filesize
5.9MB

MD5
5d2a0ad9f5dd2476256dd1fdcd9608c9

SHA1
184f92c54edcabb03ee1eeaebb6e3f8d79900960

SHA256
db3490f7c6cbd8491c9c3c61b0144989bcd3bb5c2e43b9eaf37ea0e2775e0087

SHA512
b416495068df36e6ce126d9d6fd1a3cd16d55b529d588086326c182c6021e79b154cd08a5b1f59b505868d51cbee8e97686d11155c2cb6f0b42236202f3759b6

Download Submit
C:\Windows\system\HsFqMkC.exe
Filesize
6.0MB

MD5
4f1446e5f8d81e97aef724db0d394401

SHA1
1f9eb7614f7532fa84fce2db16114bd768c39f83

SHA256
9156f2ae670cb943a87898ceb4fa89fb815363febfe9aaf0fd1537f43371718f

SHA512
ad5b5a111319186c819304c62585d0fef0c358c231195c8169260f39f2bd42b2401f42e8fa1ed768aa3cd9eaaa2c07054965b9764171d9c0cd1ec350940bbb44

Download Submit
C:\Windows\system\JgbAmBi.exe
Filesize
6.0MB

MD5
87242812adf2719ec3a13a6f910d80c2

SHA1
cc805c6636528a6c8875d3999e5c304014868b04

SHA256
e526a06151b5d6a43a18aa5858eeb97b13f4975a9430e8bc6fb9cfc759dc6e09

SHA512
01bee4572dbfe0b01f2cb3430b1db5256c83cb7eab6a81c8b61fc2da11f157018d4800dd5b9eb81e10324518eaba0b90675db069cc07a1e09a2cbc72a7335de6

Download Submit
C:\Windows\system\KyqhXPC.exe
Filesize
6.0MB

MD5
11c321d879e3cc2ac27601716aa59244

SHA1
833e7e7b9960ce0b9dd4c91ef5ec46e185fc7627

SHA256
fd23c11ff8a2d95562fb23c9707a54d3032d47ed029f4ab7f6789dee13fcaba0

SHA512
4cea001174e188e7e8a147af938d4fbe6cf0f882dce7b37cbf66c35debd40720e2a5a76e62c8bb0a36ecc155ce08dcade9727ce2dd3984a2224541d29be0d5e1

Download Submit
C:\Windows\system\OYsOODF.exe
Filesize
6.0MB

MD5
0932260a698afaaf0e7e654f1ea677d2

SHA1
9cc99e038e70043a864d9978e5f2fdb4695fdd12

SHA256
2a0484e695d248f019fd6d1677b629d1bf051fba78eea8311775438134ce4959

SHA512
44bd0cd73cb2d57cb2e67d7fdc1705d5cd2d3dd0844ce2865cd132d7fce2d132113268773ecb8170516f4526230396a7f5ddb12e97342b0c3eba6cf272bfaf48

Download Submit
C:\Windows\system\OgpWvmG.exe
Filesize
6.0MB

MD5
672de9822fc2b762626f5c8c31464d46

SHA1
cfb5a2835e4408a71cb55d235f0eb99e9d1cd682

SHA256
78dc349d298dc81d5f031a5ca552fb81c36431c270398bd3b3404630ac626175

SHA512
819c942ff0990fc450bdcf2968a5cbcde7251105cba78cf60fbf15ec7474d3cf873f4ac3ad3a96e430e9d0e91a4d9a8ac316e76bc50ab5f2b99825735a984ae3

Download Submit
C:\Windows\system\SQjThlK.exe
Filesize
6.0MB

MD5
610089d0e372b450e55d2433e6d234b2

SHA1
447bec38f968c4473c991d283b33437d84706cec

SHA256
dc5383d79394ccac3db5af4ec3bb2f803e3e4175e22726696c298533a37aedb8

SHA512
fcf2f2bd89f66df383752a60aa4de23602f2dedb99331dbbf17a9fb7fa13a392ad81096ef616574507650989439ac81044902cf3ea77a14e43b516baedc75227

Download Submit
C:\Windows\system\TkNdBKZ.exe
Filesize
6.0MB

MD5
2fb1dcf6f1447db57a39cc1bb7a54be1

SHA1
4d6a921bddb69b7543fb1d04aea5dcf203cd312b

SHA256
24dea163b8e5c956c8ca984afa2886d93cde7159fd4157568e5a655a9334237a

SHA512
73128f346652d94038064988ebb250b8263ab48bcc7e5640fd0b3052922b4db0b677aa8bb3268f961826b8f1061c32e06cecbfd5fc578b613d806ca24fdc2c8c

Download Submit
C:\Windows\system\UQNagKJ.exe
Filesize
6.0MB

MD5
bf131581770a037db26b5f1f4a4a1205

SHA1
681024c0cb4833c2087cfd10601257ec82612afb

SHA256
3805b1067b92a4d304c7479c2f97ee9d23d345d6cb08eab96ca823c80e53bfbd

SHA512
2a3a0d2ea1bddeadc742f1530ab601c3c898c6fac6956022d98d745a1356194712c06b866c8ff8e79571ea8f1af13f6262badd3616fcb023d34a734408920a61

Download Submit
C:\Windows\system\VxNHoZg.exe
Filesize
6.0MB

MD5
7c0bd05305753226c222222d61cb6e69

SHA1
3f44886d5f6f1aa1022ee68e64d3e03dee491356

SHA256
7e97871b12af408063544da31216b1063134092cd0d16e3df4b6d8cccd2fd37b

SHA512
ae264d336958c9cb91f6283bc65ee5d756283010b1a39184aaf7ad70412b5b7664445a8cd6b3a8fd6a42ac8675918bb1450699770978b5dc05bd5daebf1688b2

Download Submit
C:\Windows\system\fBTJIaF.exe
Filesize
6.0MB

MD5
239a83e05e2e22ce8e2c0579bda6b9c0

SHA1
b6667e666f559a3f8b7412c61b6d6995a600843d

SHA256
bc87a0cda2a2d46f3bc7176a03e9fce7411338f5c4b1dbed78a39bc7760feb37

SHA512
52e7fa5a238d69ea85d15d506cedb6f71a870a537ba164e0d5bf83bd6396d6fa712a7fc30976bf2bff4a44785d4939d852ced364ff51bca96d560abb1a7bbf38

Download Submit
C:\Windows\system\fUOEmmI.exe
Filesize
6.0MB

MD5
16651bc1fea57dc391a08d51f56e7f30

SHA1
dfa2da05fa3942c93fbe50044431b02d1c8916d9

SHA256
c71f2333a21ec57faf3f06d11233d3aa68ad20583cf3bb127daa4dc00dc215f0

SHA512
ad4756c1e99daa4ad4c1c14a8beb9f6bef0a1f36eff4a993d04ef105e17e4a7fefecbb5e1f368757353f867ddcc040a570b00d993539d8c96522145331600360

Download Submit
C:\Windows\system\jGJEVxW.exe
Filesize
6.0MB

MD5
b75bf87e273d96daa3aca5e08f283190

SHA1
890d9bb68c2dced6c00e8459d48debd512b1ebfa

SHA256
e1a065fcf6a3620d4322accb3fa34b6352b7eca609cc2be063120907615e87cd

SHA512
7acf8d8ef6c93a204077078dd8a1bdc62cbdffc15307555df59567a82db4c3deb4c503796829822b9291afb0cc22a93cedca3f7363c516a1bc490758a79a192d

Download Submit
C:\Windows\system\kLhNiae.exe
Filesize
6.0MB

MD5
64e66f35249ab942d465c99477f213a0

SHA1
c0663cd6b35cd7d425e1ac5d26524963b321b497

SHA256
1cb30d689c03b1f8173f7320a754774750bac870b0a38634a8d9aff5b48db4c0

SHA512
ccd3cb46627d9dd613c4de6ae1d3aec1a9c05c47df0d5be4e31acd391c1ee0de85118620a5ab5e6ac594a251e7236dc6d03d456578c5ada637b29caeb752859c

Download Submit
C:\Windows\system\sCwVFmG.exe
Filesize
6.0MB

MD5
fdc9baa23ecb58f117833d5a2d37350a

SHA1
5468b973ca332a7547df7af6f00502e0c9cb2028

SHA256
812b6bc821aac659884abe1a3e432a13ee0ed34dae5a566f8965fa0b7775b48b

SHA512
d1d939ad289f44580cb43adc5a71993345dd89ef194b757934c91cf6c9e90f510ef612626b604d6aadd88d22c7ac14f250dfd62a7b7b633c6a1cc279f34bcebe

Download Submit
C:\Windows\system\saMZPyj.exe
Filesize
6.0MB

MD5
c87b74f4b52de9b480d80a13ba4af9a5

SHA1
5b710b4de19a4b036fc1bace5d9f93eeff249968

SHA256
95fbca94a00dd3029889c653240899fff3b83f321ff14d4078c6f0c0301815b7

SHA512
f49bd86adb80007c4b9e6f0e2263ef123588ec9861ff6e8831deba517359038753785e9208cadce235cd71f94c058c54537c93e0f6c46e70a336c89788cb3d27

Download Submit
C:\Windows\system\uHsYDUM.exe
Filesize
6.0MB

MD5
a64404cadd5b8a84a93e98cb939ae5ef

SHA1
dace200d505a27cc732b5794a8e4377e1c4fa56e

SHA256
ab45fcd106805bc8a8100f451e71147ccafebaa12adc554755a4a540422277f2

SHA512
8d84bb9ed2b650d4fe6a4285f0b00fd4100a37d8725fbfc0a4e50ae75ff0fb44528d18fd035e70c11f3022f88b41869e52aad492261a757a418c84c314b8b514

Download Submit
C:\Windows\system\uqBCbaz.exe
Filesize
6.0MB

MD5
edb823cdebaa275572f8121d931ceb2f

SHA1
4ed56bc7f2bcd44aea0c88cd5013d8d1ada10123

SHA256
5e7a3467370a108b01822b41ed51b6400fe26f5fb464886941c66239814f0744

SHA512
ee0c7d4a1d91bbf55a2bdf60aa8417485f5e0c95b010815342f3cb49534663ca2f6a24d6cfdf37261a078005be61df72a003648bde2928bc9f1aaf9c812c2c98

Download Submit
C:\Windows\system\zsuGSqk.exe
Filesize
6.0MB

MD5
355f6ffe91770ada65fc82fce1aabff6

SHA1
e43fb4ce0fe6643b01d9b16c8877fcf79f0471c0

SHA256
472f3d3b268201ec78991d84d63159a66b60d73f377375a5fa5743420b0014fd

SHA512
c8e4ce2c48dac7ddb8437bbbace84e65923fc3fa415f30c3723b9e005fd2794fea692b30be33107511d59e9fb0623badbe06852982176a60de19b04dcfe86da6

Download Submit
\Windows\system\APPZDXB.exe
Filesize
6.0MB

MD5
645e46776446bca296e1bb37f1d3b1cb

SHA1
e5269c9dec7fcdc2bd210a2a2c208dcaafdbf6c6

SHA256
8f5c196977cb7ccc19224a268b55196f54c98417dac24fb3ac0bee3eded178cb

SHA512
dea391c95e4dd3744bc3f9068f322e0f2bf6bde870ba32ad450575491e03fc4e33ccf3e5372c6cd97f886b5b7e91e21190f98eb3dcd3ff0b78b05168c59faa5e

Download Submit
\Windows\system\DEJPwqV.exe
Filesize
6.0MB

MD5
905f735ce36aadfc9f8988d77b0c2066

SHA1
0e179145ea0f32a701481b9df4cc517144609dae

SHA256
a45167a2930b911bbcf3bf3134029a473ba15e569a142a7e97dcaf701f64628e

SHA512
326835c364ed89a54d1621e107f306a864f2fd5c7c532f91a2bad526895cbf9b369f812ba76e61614131d167c3964afbf98bcb693f254376a7bd83da32ba319a

Download Submit
memory/2092-62-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2092-140-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2300-135-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2300-13-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-97-0x0000000002260000-0x00000000025B4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-77-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-0-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2348-133-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2348-132-0x0000000002260000-0x00000000025B4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-106-0x0000000002260000-0x00000000025B4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2348-80-0x0000000002260000-0x00000000025B4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-11-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-47-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-17-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/2348-78-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-131-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2348-89-0x0000000002260000-0x00000000025B4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-76-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2348-134-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-72-0x0000000002260000-0x00000000025B4000-memory.dmp

Filesize
3.3MB

Download
memory/2420-71-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2420-142-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2472-74-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2472-144-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2496-146-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/2496-85-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/2560-79-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2560-143-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2564-136-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/2564-14-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/2576-36-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/2576-137-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/2632-138-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2632-31-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2672-141-0x000000013F7F0000-0x000000013FB44000-memory.dmp

Filesize
3.3MB

Download
memory/2672-66-0x000000013F7F0000-0x000000013FB44000-memory.dmp

Filesize
3.3MB

Download
memory/2720-139-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2720-40-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2944-103-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/2944-147-0x000000013F6F0000-0x000000013FA44000-memory.dmp

Filesize
3.3MB

Download
memory/3068-145-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/3068-81-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download